Symfony 1.4 re-creating sessions/sessionid when changing authentication

I'm using symfony 1.4 and it appears that every time a user is authenticated symfony recreates a session for the user. For example, if I visit a site and am not logged in I have a different session id then if I log in I have a new one, then when I log out I have yet another new one. This wasn't so in symfony开发者_StackOverflow 1.0 and I am wondering if this is how it's supposed to be?

I just checked 1.0's source code, it did not exist there.
Versions 1.1 and above regenerate the session ID every time the authentication is changed, or a credential is added/removed.
This is a very good security measure, prevents session fixation attacks.

Here's a link to the relevant changeset in trac.

This is a correct behavior. It's rather related to PHP sessions than how symfony handles them. I don't think it used to be different in symfony 1.0.

Session id should be unique and hard to guess. If you would always get the same session id than someone who once sniffed it could use it every time he wants (store it in a cookie and use website with your credentials).