Some sources says that the web browser generates the session key. Now if the web browser generates it then its vulnerable for replay attacks.
Also some sources says that the server generates a part of it and the rest the client generates. How does HTTPS generate session keys?
Both the client and the server generate a Nonce which is used along with other data to generate the "Pre-Master Secret". Even after the connection has closed a session can be resumed and the same "Master Secret" is used. All of this is covered in The first few milliseconds of an HTTPS Connection.
