Based on https://github.com/spring-projects/spring-security/issues/18106, there is a Principal#equals check in TransportHandlingSockJsService to ensure the user of the current request matches the one that established the SockJsSession. In the latest version of Spring Security there is a refinement after which it fails, and is expected to fail due to a timestamp difference. The check is not essential and could be dropped or adjusted to compare user names only.