ideally, do the following: - authenticate a user (yielding their userId) - get current session - get sessionData from the current session - revoke old session - create a new session for userId giving it sessionData as well