Support for maximum session lifetime

[alitheg]

We implemented a maximum session lifetime as part of the Trusted Releases platform, but thought we should contribute it back. Feedback welcome!

[gstein]

I implemented cookie/session lifetimes in infrastructure-idm ... I believe that the lifetime is an application concern, rather than a parameter to the .read() method. To this end, I'd suggest something in config.yaml and/or a parameter when the app is constructed, which is then used to restrict all session lifetimes regardless of .read() usage.

And to be clear: the quart session cookie has an HMAC on it, to prevent tampering. That is the purpose of secret_key. (IDM didn't have asfquart, so it was doing the HMAC on its own)

[alitheg]

I've put it in there as a config parameter instead of an argument. In ATR we load our config programmatically (app.config.from_object(app_config)) and I thought it would be less clean to pass one of the app_config properties into asfquart.construct before then passing the whole config in again once the app exists.

[alitheg]

@dave2wave I pulled my fork into my local copy of ATR - setting this setting makes the app redirect to the login page once the session expires, and on logging back in the user goes right back where they wanted to be.