This isn't actually correct, but it works with the Linux client, and
agrees with the behavior we used to have before commit 80fc015b.

Later patches will implement the spec-mandated behavior (which is to use
the security parameters explicitly given by the client in create_session
or backchannel_ctl).
Signed-off-by: J. Bruce Fields <bfields@redhat.com>