SEC-444: Handle synchronization issues if multiple authentications taking place for same session ID concurrently.

core/src/main/java/org/acegisecurity/concurrent/ConcurrentSessionControllerImpl.java

@@ -140,7 +140,6 @@ public class ConcurrentSessionControllerImpl implements ConcurrentSessionControl
         Object principal = SessionRegistryUtils.obtainPrincipalFromAuthentication(authentication);
         String sessionId = SessionRegistryUtils.obtainSessionIdFromAuthentication(authentication);
 
-        sessionRegistry.removeSessionInformation(sessionId);
         sessionRegistry.registerNewSession(sessionId, principal);
     }
 

core/src/main/java/org/acegisecurity/concurrent/SessionRegistryImpl.java

@@ -112,14 +112,12 @@ public class SessionRegistryImpl implements SessionRegistry,
         }
     }
 
-    public void registerNewSession(String sessionId, Object principal)
-        throws SessionAlreadyUsedException {
+    public synchronized void registerNewSession(String sessionId, Object principal) {
         Assert.hasText(sessionId, "SessionId required as per interface contract");
         Assert.notNull(principal, "Principal required as per interface contract");
 
         if (getSessionInformation(sessionId) != null) {
-            throw new SessionAlreadyUsedException("Session " + sessionId
-                + " is already is use");
+            removeSessionInformation(sessionId);
         }
 
         sessionIds.put(sessionId,