diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index 60ef91c..49f1b61 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -1,4 +1,9 @@
 security:
+    # Login controller already calls $session->migrate(true) on login.
+    # Keeping 'migrate' would regenerate the session ID on every authenticated
+    # API request, which breaks concurrent requests from the SPA (race condition).
+    session_fixation_strategy: none
+
     # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
     password_hashers:
         Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'