After session upgrading a stateless session, a new cookie is returned to the user's browser containing the details of the upgraded session. The XUI currently does not overwrite its existing cookie with this new one, meaning the session upgrade never propagates back to the client (and is therefore 'lost' as the server retains no state).
Steps to reproduce:
i) Activate stateless sessions
ii) Create an anonymous auth module, called anonymous
iii) Log in with the anonymous auth module, &module=anonymous
iv) Without logging out, log in with &service=ldapService as demo user
You should see: The demo user's account page
You do see: The anonymous user's account page
Upon checking the state of the browser's cookies, the client still has the anonymous user's cookie rather than the newly-generated demo user's.
The classic UI works correctly, and displays the anonymous user's account page.