Comment 3 for bug 1420457

I can't speak to what the session id is used for exactly, though it seems to be that it's just an identifier to verify the response matches the request. But this code is only used to verify if a VPN connection is listening, there is no session exposed from this. In other words this code is used for a boolean response and therefore exposes no security vulnerability that I can see. I do agree that the code could be rewritten a bit to document why the random session is fine, and actually return a boolean rather than a session, but as it's used now I see nothing that warrants keeping this bug as private.