Have you tried using SessionCreationPolicy.STATELESS. There is a subtle difference between STATELESS and NEVER in the spring docs:
STATELESS: Spring Security will never create an HttpSession and it will never use it to obtain the SecurityContext.
NEVER: Spring Security will never create an HttpSession, but will use the HttpSession if it already exists.
So I would suggest that you clear all your cookies, switch it to STATELESS and try again. It could be that you had already an HttpSession when you switched to NEVER.