See: Description
| Interface | Description | 
|---|---|
| SessionAuthenticationStrategy | Allows pluggable support for HttpSession-related behaviour when an authentication
 occurs. | 
| Class | Description | 
|---|---|
| ChangeSessionIdAuthenticationStrategy | Uses  HttpServletRequest.changeSessionId()to protect against session fixation
 attacks. | 
| CompositeSessionAuthenticationStrategy | A  SessionAuthenticationStrategythat accepts multipleSessionAuthenticationStrategyimplementations to delegate to. | 
| ConcurrentSessionControlAuthenticationStrategy | Strategy which handles concurrent session-control. | 
| NullAuthenticatedSessionStrategy | |
| RegisterSessionAuthenticationStrategy | Strategy used to register a user with the  SessionRegistryafter successfulAuthentication. | 
| SessionFixationProtectionEvent | Indicates a session ID was changed for the purposes of session fixation protection. | 
| SessionFixationProtectionStrategy | Uses  HttpServletRequest.invalidate()to protect against session fixation
 attacks. | 
| Exception | Description | 
|---|---|
| SessionAuthenticationException | Thrown by an SessionAuthenticationStrategy to indicate that an authentication
 object is not valid for the current session, typically because the same user has
 exceeded the number of sessions they are allowed to have concurrently. | 
Comes with support for: