Add session hash to access log

[sevdog]

What does this PR do?

This PR adds a new field on AccessLog to better track sessions.

There is still an issue for sessions in which a user changes its password: because django.contrib.auth creates a new session upon password change and no logout/login signal is fired since this is neither a login nor a logout. I suppose it would be fine to keep this case "untracked" since it is not possible to hook into that method and usually changing password is not a frequent task.

When no session engine is configured it falls back to current behaviour: a logout will set the logout_time to every AccessLog without it. However this could be tolerated since there is no standard way to track such case and usually when there is no session there is not the concept of login/logout.

Fixes #1190

Before submitting

• This PR fixes a typo or improves the docs (you can dismiss the other checks if that's the case).
• Did you make sure to update the documentation with your changes?
• Did you write any new necessary tests?

[sevdog]

To better handle "password change" events it could be nice to insert an AccessLog with a null attempt_time which could mean "this is a logout log for this user, we were unable to associate the right login".