SessionMiddleware: support FIPS builds without SHA-1

[bcarroll]

itsdangerous includes a patch for this issue, but the TimestampSigner used in starlette.middleware.sessions.SessionMiddleware does not allow the digest_method to be changed from the itsdangerous default, which is SHA1, and causes SessionMiddleware to generate an exception in a ubi8/ubi9 RedHat container.

Suggested fix:
add digest_method to SessionMiddleware constructor. To allow the developer to change the digest_method used by the TimestampSigner object (SHA256, SHA384, etc...)

[bcarroll]

Pull Request for this fix: #2986

[yannsartori]

@Kludex @bcarroll I would be interested in this fix as well, right now my workaround (in FastAPI) is essentially the same as @bcarroll's:

# Use custom class to fix FIPS issue by providing custom signing digest method
class SHA256SessionMiddleware(SessionMiddleware):
    """Session middleware with SHA256 as a digest method."""

    def __init__(
        self,
        app: ASGIApp,
        secret_key: str | Secret,
        session_cookie: str = "session",
        max_age: int | None = 14 * 24 * 60 * 60,  # 14 days, in seconds
        path: str = "/",
        same_site: Literal["lax", "strict", "none"] = "lax",
        https_only: bool = False,
        domain: str | None = None,
    ) -> None:
        """Override `SessionMiddleware`'s __init__."""
        super().__init__(
            app=app,
            secret_key=secret_key,
            session_cookie=session_cookie,
            max_age=max_age,
            path=path,
            same_site=same_site,
            https_only=https_only,
            domain=domain,
        )
        self.signer = itsdangerous.TimestampSigner(str(secret_key), digest_method=hashlib.sha256)


app.add_middleware(
    SHA256SessionMiddleware,
    ...
)