[Feature] Requesting new session explicitly

[panagiks]

General

I think aiohttp-session should provide a way to explicitly request a new session, ignoring the existence of a cookie.

Implementation

My initial thought is to pass an optional kwarg new=True to get_session, which in turn will pass it to the storage's load_session function to force it to return a new Session ignoring the presence of any cookie.

Background

This is another window for Session Fixation, although this does not affect aiohttp-session itself like #272 but the application logic. I think that providing a way to explicitly request a new session (and encouraging the use of it in documentation and examples related to login functionality) would greatly benefit the users of aiohttp-session in terms of writing more secure code.

Looking into OWASP's entry for Session Fixation:

When authenticating a user, it [the vulnerable web application] doesn’t assign a new session ID, making it possible to use an existent session ID.

@asvetlov do you agree with adding this feature ? If so I can have a PR ready during the weekend (to also add documentation and usage examples).

[asvetlov]

I like the idea but suggest aiohttp_session.new_session() API instead of new parameter.
It feels more explicit.

[panagiks]

aiohttp_session.new_session() it is then :)