FlowSession: renewId() looses data of existing session
Using FlowSession, on renewing the session identifier (for example after an authenticate() call), some session data seems to get lost, most importantly the security context.
This is due to the current implementation of renewId() which loads (ie. unserializes) all current session data in order to store it to cache entries with the new session id. This effectively overwrites any security context or other session-scoped object currently in memory with the state found in the old cache entry.