#30 Sessions should use 2 factor authentication

[James Dominy]

Setting a session cookie should set a base64 encoded random hash as well as the session id in the form "<id>:<hash>" and store the hash in the session table. When authenticating via a session cookie, the session is checked against both the session id and the hash.