this helps to guard against a replay attack with session cookies.
we use the session for a number of things, including logged in status,
history, poorcel mode, etc. a user can be logged in indefinitely by
replaying their session cookie or doing something which resets the timer
(ex. toggling poor mode). this adds a session expiration to whatever the
SESSION_LIFETIME constant is, which shouldn't be too restrictive (login
sessions being valid for 1 year).