Please find the below observation:
It looks like upgrading to spring boot 3.4.3 introduced unexpected session creation, despite your stateless JWT-based authentication setup.

Possible Causes:

Spring Security Changes: While Spring Security itself does not create sessions in a stateless setup, other parts of the framework or dependencies might be triggering session creation.

Servlet Container Behavior: Some servlet containers (like Tomcat) may automatically create sessions unless explicitly disabled.

Spring Boot Internal Changes: There might be changes in Spring Boot 3.x that affect session handling, even when SessionCreationPolicy.STATELESS is set.

Potential Solutions:

Explicitly Disable Session Creation Try adding this to your security configuration:

http.sessionManagment(session -> sessionCreationPolicy(SessionCreationPolicy.NEVER));

This ensures that Spring Security never creates a session.

Check for Other Session-\ Creating Components

Look for any filters or interceptors that might be triggering session creation.

Debug by checking HttpServletRequest#getSession(false) to see where sessions are being created.

Disable Session Cookies in Application Properties Add this to application.properties file

server.servlet.session.cookie.name=

This prevents the JSESSIONID cookie from being set.

Verify Dependencies

Check if any dependencies (like Spring Session) are influencing session behavior.

If using Spring Session, ensure it's properly configured for stateless operation.

Please feel free to reach out if you encounter this issue again.