Store a random session key used to sign and verify comment ownership
once the database is initialized, not on every application startup.
Currently fixed session keys in [general] session-key are migrated into
the database on startup. The configuration parser will notice you about
the change and suggest you to remove this option.
The previous approach using a custom X-Custom header did work for the
client-side, but not for activation and deletion links. Now, you need
to add a `name = foo` option to the general section. `isso.dispatch`
then binds this configuration to /foo and can distinguish all API
calls without a special HTTP header.