DefaultSessionManager uses predictable java.util.Random instead of java.security.SecureRandom

This popped up during an audit. Is there any reason to not use SecureRandom to generate the session id? Could be easily switched.