Since sessions are rebuilt, e.g. when you try to post a blank
comment and therefore receive an error message, the session will
be overwritten without the old max_age.
As proposed in issue #354; it adds an attribute max_age
to mediagoblin.tools.session.Session that is passed to
response.set_cookie; max_age is set to 30 days if the
checkbox is selected
1. Our session cookies only need to be available to http, so
mark them appropiately.
2. Send the cookie to the subpath for mediagoblin.
And instantiate a session manager on the app, once.
This makes session.__init__ slightly more complicated but probably
simplifies everything else, especially if we make the class smarter
later by having it track changes itself.
