Session shutdown might keep destroyed session alive
There's a race condition in multi-server setups regarding the session shutdown: If a session has been destroyed by a second server between start() / resume() and shutdownObject(), the shutdown method will implicitly revive the session because it writes the session entry into the storage cache without checking if the session still exists.
[BUGFIX] Fix race condition in session shutdown
This protects sessions against being revived through the shutdown
method even though they were destroyed remotely in the meantime.
This patch also contains a small modification and related test to make
sure that incoming session cookies are not blindly sent back to the
user agent in the response. Instead, a clean, new session cookie with
the parameters set in Flow's settings is created.