Hash session id before using it as a cache context

Should we write a unit test for this? Can we?

This looks great!

+++ b/core/tests/Drupal/Tests/Core/Cache/Context/SessionCacheContextTest.php
@@ -0,0 +1,90 @@
+    $this->assertSame(FALSE, strpos($context1, $session_id), 'Session ID not contained in cache context');
...
+    $this->assertSame(FALSE, strpos($context1, $session1_id), 'Session ID not contained in cache context');
+    $this->assertSame(FALSE, strpos($context2, $session2_id), 'Session ID not contained in cache context');

Nit: should use assertFalse().

However, this is a task, not a bug. Everything works fine, this is just security hardening, which is an improvement.

You're right. Man I hate our incredibly confusing assertion function names. They so often don't do what you expect.

Committed c3b3ec1 and pushed to 8.3.x. Thanks!

diff --git a/core/tests/Drupal/Tests/Core/Cache/Context/SessionCacheContextTest.php b/core/tests/Drupal/Tests/Core/Cache/Context/SessionCacheContextTest.php
index 978c753..b621b2d 100644
--- a/core/tests/Drupal/Tests/Core/Cache/Context/SessionCacheContextTest.php
+++ b/core/tests/Drupal/Tests/Core/Cache/Context/SessionCacheContextTest.php
@@ -1,10 +1,5 @@
 <?php
 
-/**
- * @file
- * Contains \Drupal\Tests\Core\Cache\Context\SessionCacheContextTest
- */
-
 namespace Drupal\Tests\Core\Cache\Context;
 
 use Drupal\Core\Cache\Context\SessionCacheContext;

Fixed on commit.

After discussing with @catch we decided to backport this as bugfix to 8.2.x since it is "not working as well as it could". Committed 9025843 and pushed to 8.2.x. Thanks!