The login phase usually contains SSL and regular info. This means that
session data may be leaked out of the SSL part somehow, if an attacker
can reach it via the regular part. PHP has a session_regenerate_id
function to switch to a new session once a user is logged in.