Add mention about cookie replay to limitations.md

[timoh6]

As cookie replay could be a security threat (client replays the same cookie multiple times and discards new cookies set by the application), I suggest we should pay attention to it somehow in the limitations.md.

Maybe add new paragraph "Cookie replay" and mention something like (just a quick suggestion):

It should be pointed out that PSR7Session does not address replay of old cookies. Legitimate client can send previous (old) cookies within the cookie lifetime period.

to make the cookie replay issue stand out better.

I was thinking the Cookie replay paragraph could come right before:

The idea around PSR7Session is that a session is not supposed to be an actual storage for transient client information, but rather be used for the concerns of authentication, authorization and eventually for validation concerns such as CSRF-token validation.

If you want to store frequently-updated or concurrently-updated information inside a session, then PSR7Session is likely not fitting your use-case.

Thus making those two paragraphs be under Cookie replay title and paragraph.

Thoughts?

[Ocramius]

@timoh6 it shall be done, thanks!

[Ocramius]

Handled in #39