doc/design.md indicates that the security module assigns session IDs to new user sessions, but I haven't been able to find where this happens, only that the SID gets passed around through a bunch of protobufs and used as a client session cookie. Could someone point me in the right direction? Thank you! -Vincent