issues/365: Do not use IP address and TLS fingerprint to validate cookies by default.

[komuw]

• Previously when validating encrypted cookies, we would compare the IP address(and TLS fingerprint) in the coming request to the one in the cookie.
  This meant that if someone moves from wifi internet to phone internet(as an example), their IP changes and thus their cookie/session would be invalid.

• Since the feature is useful in trying to mitigate against replay attacks(see: try mitigate cookie replay attacks for encrypted cookies #144), we instead introduce functionality that would allow users of ong to set whatever value they want as their anti replay data.
  So someone could set the IP + geo-location of the request as the anti replay data, and if either of those change; the cookies are invalid.

• Fixes: client IP address validation of cookies is punitive to users using mobile phones. #365

[codecov-commenter]

Codecov Report

Attention: 19 lines in your changes are missing coverage. Please review.

Comparison is base (e2b861f) 0.00% compared to head (edeb7e9) 73.52%.

Additional details and impacted files

@@            Coverage Diff            @@
##           main     #388       +/-   ##
=========================================
+ Coverage      0   73.52%   +73.52%     
=========================================
  Files         0       48       +48     
  Lines         0     5684     +5684     
=========================================
+ Hits          0     4179     +4179     
- Misses        0     1214     +1214     
- Partials      0      291      +291     

Files	Coverage Δ
middleware/middleware.go	100.00% <100.00%> (ø)
middleware/session.go	65.00% <100.00%> (ø)
sess/sess.go	78.87% <100.00%> (ø)
config/config.go	64.74% <66.66%> (ø)
cookie/cookie.go	73.77% <60.97%> (ø)

... and 43 files with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.