Heartbeat during the request calling reinitializeSession causes Session Tim

We are using
VaadinService.reinitializeSession
to prevent session fixation attacks.

We’re encountering a problem however whereby if a heartbeat occurs
during
the processing of the request that calls reinitializeSession, then the Session Timeout banner is displayed. This is due to the queued up heartbeat request having the JSESSIONID of the old, now invalidated, session.

Has anybody else seen this? Obviously the window for it to happen is quite small - to reproduce reliably we’ve had to insert a Thread.sleep delay into the request that calls reinitializeSession, and manually time it to coincide with the next heartbeat.

This had previously been reported in ticket
https://dev.vaadin.com/ticket/19634