Resolution: When the localhost bypass is in effect, the server ignores "lsid" in all commands and neither requires auth nor creates a session.

Original report:

Question for samantha.ritter or jason.carey.

Current Drivers Session Spec says all commands include "lsid" if the server supports sessions, with the exceptions of auth commands and ismaster. So "createUser" should include "lsid".

However, if the server is started with auth and it has no users, a driver might want to connect without authenticating and issue "createUser". For example, PyMongo's tests detect if the server has started with auth and has no user.

If the initial "createUser" command is issued with "lsid", the server responds with error code 13, "there are no users authenticated".

What should we do?:

• createUser with "lsid" is permitted if there are no users created yet, but the server ignores "lsid" (creates no server session)
• The Drivers Session Spec says that createUser omits "lsid" iff the application doesn't explicitly pass a ClientSession object and the connection isn't authenticated

cc rstam.

Also I'm curious what emily.stolfo has done to test the Ruby driver. Did you need to work around this?