Empty session data if session age > max_age

[panagiks]

Fixes #325

[codecov]

Codecov Report

Merging #331 into master will increase coverage by 0.05%.
The diff coverage is 100%.

@@            Coverage Diff             @@
##           master     #331      +/-   ##
==========================================
+ Coverage    97.2%   97.26%   +0.05%     
==========================================
  Files           4        4              
  Lines         215      219       +4     
  Branches       25       26       +1     
==========================================
+ Hits          209      213       +4     
  Misses          4        4              
  Partials        2        2

Impacted Files	Coverage Δ
aiohttp_session/__init__.py	98.1% <100%> (+0.04%)	⬆️

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 8ba1c31...308c839. Read the comment docs.

[panagiks]

As with #326 the fix is retroactive. (Already created sessions will be handled properly and there is no need for secret key rotation / re-issuing).

[panagiks]

The failing tests seem to only be for Python 3.7 (and nightly)

[asvetlov]

thanks

[asvetlov]

Failed Python 3.7 is about #330

[hubo1016]

I'm sorry but this makes me confused: max_age is used for an idle timeout before v2.7.0, but this change makes it a hard_timeout. More importantly, created_time is never updated even after resetting the content, so this means that if the web application does not recreate the session manually, the user will always get an expired session even after login again. This is a SERIOUS BREAK.