Session creation when calling /api
It appears that a new Session is created every time a call to /api
is made. This can be seen in response headers as a Set-Cookie:
header (and is logged with WhoMakesTheSession
listener).
/api
does not need session support and should not be generating them.
Perhaps a separate SecurityChain
is required?