Should removeSessionInformation call removeById?

[OrangeDog]

I'm a bit confused by SpringSessionBackedSessionRegistry and in particular the comments:

This is a no-op, as we don't administer sessions ourselves.

Because, we (Spring Session) do administer sessions ourselves. That's what the SessionRepository is, no?

I see various Spring Security examples that use SessionRegistry to manage sessions - e.g. by invalidating current sessions on password changes. Surely the purpose of this adapter is to keep all that working but delegate to the Spring Session storage rather than Security's default in-memory implementation?

I can see why registerNewSession and maybe refreshLastRequest wouldn't need to do anything (but maybe they should check if the session is being manually created rather than going through the usual system), but surely removeSessionInformation should actually remove the session?