User:Brion VIBBER/loadFromSession

first...
 * We try to get a user ID:
 * - from session wsUserID
 * if not set in session, then check:
 * - from cookie UserID
 * -> put into the session


 * We try to get a user name:
 * - from session wsUserName
 * if not set in session, then check:
 * - from cookie UserName
 * -> insert into the session


 * If the ID doesn't load a valid user account, we abort.


 * We try to match user_token:
 * - from session wsToken
 * if not set in session, then check:
 * - from cookie Token


 * If no token is around, we abort.


 * Check if our session/cookie-sourced user name matches internal name
 * if not, we abort
 * This confirms that the ID and user name match.
 * This looks like it will do a PHP notice and fail if the name session var/cookie wasn't set, although the id is what's used.


 * Check if token matched
 * if not, we abort
 * If matched, save the token into the session.

Conclusions:
 * Cookie values for ID, username, and token are ignored if values are already present in the session.
 * Cookie values for ID and username are saved into the session without validation if cookies are present but cookie vars were not
 * Cookie value for token is saved into the session if not previously set, only with validation.

So, hypothetically if you end up with someone else's session key you're going to have a very confusing time.

It might be safer to abort the session and generate a new session key if the id/name don't match.