Use the default PHP session ID instead of generating a custom one

Background

1. The session id is a random value generated when a session is started. The session id is stored as a cookie in the browser such that on subsequent visits the data stored in the session can be loaded and reused. This issue is about the session id (cookie value) and not about the session name (cookie name).

2. Drupal does not rely on built-in PHP methods for generating the session id currently, but uses a random 32 byte value.

3. Before Drupal 7.24 different methods were used for anonymous vs. authenticated users, such that anonymous session ids were less expensive to generate.

   (see this commit; also note that the comment about "less random sessions" is wrong now).

4. In contrast Symfony does not expect that the session-id is changed manually after the session has been started (see [...]\Session\Storage\Proxy\AbstractProxy::setId() and completely relies on the PHP built-in function session_regenerate_id() (see [...]\Session\Storage\NativeSessionStorage::regenerate().

Problem

1. Our approach does not allow us to use session_regenerate_id().
2. Instead, it is necessary to override NativeSessionStorage::regenerate completely and re-implement the mechanism in custom code (see #801278: Authenticated users getting "less random" session IDs).

Proposed solution

1. PHP 5.4 and subsequently PHP 7.1 ship with improvements regarding session ID generation:

   1. The INI setting session.entropy_file defaults to /dev/urandom or /dev/arandom if it is available (session.c (5.4) vs session.c (5.3)). On Windows, the Random API is used.
   2. On machines with /dev/urandom or /dev/arandom present on compile time session.entropy_length defaults to 32. On Windows, this seemingly has to be configured manually.
   3. Using session.sid_length, the length of the generated session id can be specified
   4. With session.sid_bits_per_character it is possible to choose the alphabet for the generated session id

2. According to the OWASP PHP Security Cheat Sheet:

   PHP's default session facilities are considered safe, the generated PHPSessionID is random enough, but the storage is not necessarily safe.

3. When using the Drupal Crypt::randomBytes() function, the best (most secure and most performing) random source is selected automatically. The performance of both approaches was analyzed in #9. According to the results, no performance regression is to be expected when switching to PHP built-in session id generation.

4. → Remove our custom code for generating session IDs and rely on the native PHP functionality instead.

API changes