Regenerate session id to make sure that authenticated session uses different ID than one used before user authenticated. This is a countermeasure against session fixation attacks.

NB: session_regenerate_id() was added in PHP 4.3.2 (and new session cookie is only sent out in this call as of PHP 4.3.3), but PHP 4 is not vulnerable to session fixation problems in SquirrelMail because it prioritizes $base_uri subdirectory cookies differently than PHP 5, which is otherwise vulnerable. If we really want to, we could define our own session_regenerate_id() when one does not exist, but there seems to be no reason to do so.

• $str