Add session `max_age` to SessionMiddleware

[helen-m-lin]

Is your feature request related to a problem? Please describe.
Currently, when the user logs in, their userinfo (not full token) is saved in the request session. This is saved until the user logs out, or the browser session is cleared, or the default session max_age of 2 weeks.

Describe the solution you'd like
The request session should have a shorter max_age. Consider having it match the auth token timeout?

Describe alternatives you've considered
Save and refresh the auth token if it has expired.

Additional context
See https://www.starlette.io/middleware/#sessionmiddleware:

max_age - Session expiry time in seconds. Defaults to 2 weeks. If set to None then the cookie will last as long as the browser session.

[helen-m-lin]

Also look into revoking the token