DefaultSessionManager uses predictable java.util.Random instead of java.security.SecureRandom

[rlking]

This popped up during an audit. Is there any reason to not use SecureRandom to generate the session id? Could be easily switched.

[mnriem]

@rlking Can you supply a PR?