Change session ID after authentication to prevent session hijacking.
work in progress.
Need to work out how to do this for BASIC and DIGEST, so the session ID only changes on the first time the session is authenticated.
Need to update test harnesses
For now I have gone with a solution that recreates the entire session rather than silently change the ID. This means listeners will fire, but then they need to so that code that uses the session ID as an index can be updated