diff --git a/core/src/main/java/org/springframework/security/core/session/SessionRegistryImpl.java b/core/src/main/java/org/springframework/security/core/session/SessionRegistryImpl.java
index 39e8f22c7a..2180a37e52 100644
--- a/core/src/main/java/org/springframework/security/core/session/SessionRegistryImpl.java
+++ b/core/src/main/java/org/springframework/security/core/session/SessionRegistryImpl.java
@@ -62,7 +62,7 @@ public class SessionRegistryImpl implements SessionRegistry, ApplicationListener
         final Set<String> sessionsUsedByPrincipal = principals.get(principal);
 
         if (sessionsUsedByPrincipal == null) {
-            return null;
+            return Collections.emptyList();
         }
 
         List<SessionInformation> list = new ArrayList<SessionInformation>(sessionsUsedByPrincipal.size());
diff --git a/core/src/test/java/org/springframework/security/core/session/SessionRegistryImplTests.java b/core/src/test/java/org/springframework/security/core/session/SessionRegistryImplTests.java
index 28c7c5ce48..7949b31968 100644
--- a/core/src/test/java/org/springframework/security/core/session/SessionRegistryImplTests.java
+++ b/core/src/test/java/org/springframework/security/core/session/SessionRegistryImplTests.java
@@ -117,7 +117,7 @@ public class SessionRegistryImplTests {
 
         // Check attempts to retrieve cleared session return null
         assertNull(sessionRegistry.getSessionInformation(sessionId));
-        assertNull(sessionRegistry.getAllSessions(principal, false));
+        assertEquals(0, sessionRegistry.getAllSessions(principal, false).size());
     }
 
     @Test
@@ -168,7 +168,7 @@ public class SessionRegistryImplTests {
 
         sessionRegistry.removeSessionInformation(sessionId2);
         assertNull(sessionRegistry.getSessionInformation(sessionId2));
-        assertNull(sessionRegistry.getAllSessions(principal, false));
+        assertEquals(0, sessionRegistry.getAllSessions(principal, false).size());
     }
 
     private boolean contains(String sessionId, Object principal) {
diff --git a/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java b/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java
index 73012a159a..513e120c56 100644
--- a/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java
+++ b/web/src/main/java/org/springframework/security/web/authentication/session/ConcurrentSessionControlStrategy.java
@@ -69,7 +69,7 @@ public class ConcurrentSessionControlStrategy extends SessionFixationProtectionS
 
         final List<SessionInformation> sessions = sessionRegistry.getAllSessions(authentication.getPrincipal(), false);
 
-        int sessionCount = sessions == null ? 0 : sessions.size();
+        int sessionCount = sessions.size();
         int allowedSessions = getMaximumSessionsForThisUser(authentication);
 
         if (sessionCount < allowedSessions) {