Switch to server-side sessions

[nextgens]

What type of PR?

bug-fix

What does this PR do?

It simplifies session management.

• it ensures that sessions will eventually expire (*)
• it implements some mitigation against session-fixation attacks
• it switches from client-side to server-side sessions (in Redis)

It doesn't prevent us from (re)-implementing a "remember_me" type of feature if that's considered useful by some.

[mergify]

Thanks for submitting this pull request.
Bors-ng will now build test images. When it succeeds, we will continue to review and test your PR.

bors try

Note: if this build fails, read this.

[bors]

try

Build failed:

• continuous-integration/travis-ci/push

[lub]

It's missing a newsfragment (to later generate the changelog), otherwise seems fine.

[lub]

Should we backport this?

Pull request has been modified.

[nextgens]

It's missing a newsfragment (to later generate the changelog), otherwise seems fine.

I'm not sure how to phrase it... that's why I've left it out. Feel free to improve upon it :)
We may want to mention the change to session lifetime... but I'm not sure how the towncrier output will look like

[nextgens]

Should we backport this?

I'd say yes... but we may want to wait until it gets some additional field testing.

[Diman0]

It looks good to me. It is nice we can prevent replay attacks with this. This will make mailu more secure.
If this functionality does not work properly, we must not forget to revert the backport.
Fortunately test.mailu.io will be automatically updated later today. So we can already test via test.mailu.io.
However we should also test mailu 1.8.

[mergify]

bors r+

[bors]

Build succeeded:

• continuous-integration/travis-ci/push