* lti/cookieless : correctly handle sessions

This fixes erroneous code where session fetched was still the
cookie one if available and never replaced.

Flask doesn't deal at all with session hotswap and its context
stack, therefore the session manager creates the new session
when it detects the LTI launch page is requested.

* cookieless: do not hardcode lti launch page url