The original issue was #13026 and PR #13048 was a straight forward solution. This does not work for PHP <= 5.4.11 as stated by @derrabus in #13269. After reverting the PR in #13282, the original issue still exists.

I see the following options:

• Call $request->getSession()->migrate(true) (https://github.com/symfony/symfony/blob/2.3/src/Symfony/Component/Security/Http/Session/SessionAuthenticationStrategy.php#L50) only with true, if PHP is >5.4.11 (see PR [Security] Don't destroy the session on buggy php releases. #13286)
• Add a new strategy to make it configurable if the session is migrated with session_regenerate_id(false) or session_regenerate_id(true)
• Find a workaround

Like @derrabus I'm in favor of using true depending on the PHP version.

What are your opinions?