In T12509, we moved away from HMAC-SHA1 for new code. One older workflow still using HMAC-SHA1 is session digests.
In connection with T13222, I'm upgrading these to HMAC-SHA256, but leaving some SHA1 code for compatibility. This should be removed after a reasonable period of time elapses (removing the compatibility code too quickly will log everyone out).