Specific API for session
For now, the security uses the ORM method to create and delete session. This makes more difficult to implement alternate session storage.
Also we do no log session check for wrong session which could be useful to block, for example with fail2ban, a brute force attack on session (even if it is highly improbable).
So I propose to create an API: new, remove and check; and move the logging into security.py