For some reason the code to regenerate session id in ezsession is commented out with a comment "This doesn't seem to work as expected" probably by amos when the function was added in 3.2.

The attached patch re enables it and properly updates the session data in db if user has a session (if user had session cookie).

Discussion:

1. why was it commented out? (looked up svn history in stable/3.2 and trunk, no clues)
2. does the patch look ok?
3. should we also implement httponly session cookies like other does?