FlowSession: renewId() looses data of existing session
Using FlowSession, on renewing the session identifier (for example after an authenticate() call), some session data seems to get lost, most importantly the security context.
This is due to the current implementation of renewId() which loads (ie. unserializes) all current session data in order to store it to cache entries with the new session id. This effectively overwrites any security context or other session-scoped object currently in memory with the state found in the old cache entry.
[BUGFIX] FlowSession: Fixed renewId()
This patch provides a new implementation of FlowSession's renewId()
method. It previously loaded all data from the old cache entry in order
to write it into a cache entry with the new session identifier. This
effectively overwrote any existing session-scoped object which existed
in the old cache data.
The new implementation uses a session identifier independent internal
storage identifier which doesn't change on renewing the public session
identifier. This way we don't need to move around session data, but
can simply store a new mapping between session id and storage id.
This patch also lets the HTTP Request store only the baseUri instead of
the whole settings array which leads to a smaller footprint and less
information stored in a session (as the current request is, in most
cases, part of the serialized session data).