### Impact
All id-providers using lib-auth `login` method. lib-auth should invalidate old session after login and replicate session attributes in a new one, however this is not the behavior in affected versions.

### Workarounds
Don’t use lib-auth for `login`.
Java API uses low-level structures and allows to invalidate previous session before auth-info is added.

### References

https://github.com/enonic/xp/issues/9253Read More