web: don't write a session file at startup

The .hledger-web_client_session_key.aes file written at startup is
cluttersome and means hledger-web can only be started from a writable
directory. What do we lose if I disable it ?

https://hackage.haskell.org/package/yesod-core-1.4.33/docs/Yesod-Core.html#v:makeSessionBackend
says "Default: Uses clientsession with a 2 hour timeout."
http://hackage.haskell.org/package/clientsession-0.9.1.2 says
"Securely store session data in a client-side cookie."

I think: hledger-web saves (eg) the state of the sidebar as session
data, in a cookie, and my web browser saves that locally. And this
still seems to work, across server restarts. So what's the purpose of
saving this "client session" file on the server ? Let's disable it and
find out.

hledger-web/Foundation.hs

@@ -100,11 +100,13 @@ type Form x = Html -> MForm (HandlerT App IO) (FormResult x, Widget)
 instance Yesod App where
     approot = ApprootMaster $ appRoot . settings
 
-    -- Store session data on the client in encrypted cookies,
-    -- default session idle timeout is 120 minutes
-    makeSessionBackend _ = fmap Just $ defaultClientSessionBackend
-                             (120 * 60)
-                             ".hledger-web_client_session_key.aes"
+--    -- Store session data on the client in encrypted cookies,
+--    -- default session idle timeout is 120 minutes
+--    makeSessionBackend _ = fmap Just $ defaultClientSessionBackend
+--                             (120 * 60)
+--                             ".hledger-web_client_session_key.aes"
+    -- don't use session data
+    makeSessionBackend _ = return Nothing
 
     defaultLayout widget = do
         master <- getYesod