Not sure if it is really a bug, but when (with the default oauth auth configured) I try to login to a rest method, I get back a new session cookie every time (the browser of course sends the session cookie received in the last response). The session data is stored correctly in the fs/db - it only contains the string "eZUserLoggedInID" with value 10 for anon user.

I would expect the system non to generate a new session for me if I send a valid session cookie - as that might fill the session table.

But then, I know little to nothing about oauth - maybe that is to be expected...