Legacy random session ID generation is incompatible with symfony/http-foundation v4.4.42

Problem/Motivation

The release of symfony/http-foundation v4.4.42 validates and recreates the session ID when it's not valid.
\Drupal\Core\Session\SessionManager::getId() generates a random session ID if a session is not started yet.
The ID generated through \Drupal\Component\Utility\Crypt::randomBytesBase64() can contain invalid characters such as underscores.
The next time that the session is started, the Symfony component will regenerate the id and the session data will be lost.
Calling \Drupal\Core\Session\SessionManager::getId() is already deprecated as indicated in code and in this change record → .

Steps to reproduce

This issue was encountered during tests while using the cas module version 1.7.0 but it can be reproduced by calling \Drupal\Core\Session\SessionManager::getId() before a session exists.

Proposed resolution

None at the moment, I'm creating this just as a reference for users that might run into the same.
It can be fixed by

1. not calling getId() and using alternatives as explained in change record Drupal uses PHP session ID generation → .
2. locking symfony/http-foundation to 4.4.41, at least until the point above is fixed.

Writing a test is hard as the ID generation is random so it fails only sometimes.

Remaining tasks

To be discussed, since now calling the above method can actually create issues.

User interface changes

None.

API changes

TBD.

Data model changes

None.