Add expiration as part of signed data and enforce it

[jsha]

In #14, @jtgeibel added a Max-Age to the Set-Cookie header, so browsers will expire a cookie if it isn't refreshed within 90 days. However, if an attacker captures a copy of a cookie, it's still valid indefinitely. It would be useful to embed an expiration date in the signed cookie so that the server knows to reject a cookie that should have been expired by now. This would limit the impact of a compromised account.

[Turbo87]

This project is no longer used by crates.io. If this is still relevant to the crates.io codebase I'd would be great if you could open an issue on the issue tracker over there :)