The proper sentinel value here for "no TLS session" is -1, not 0.

This, at minimum, was causing a lot of extraneous calls to destroy_session()
(from js_socket.c's do_js_close()) with an invalid (hopefully, not
otherwise used) cryptlib session ID of 0.

Nothing checks or logs the return value of destroy_session(), but I'd expect
it to be failing ... a lot.