Change in default behavior DefaultWebSessionManager for 1.3 - Needs Review

[Brian Demers]

I took a shot at resolving SHIRO-361, without SHIRO-360
https://github.com/apache/shiro/pull/31

This disables url rewriting by default, and can be turned back on via:
[main]

sessionManager = org.apache.shiro.web.session.mgt.DefaultWebSessionManager
sessionManager.sessionIdUrlRewritingEnabled = true
securityManager.sessionManager = $sessionManager

I think this is the _correct_ default, but I also don't like changing the
behavior.

Please take a look at the comments in
https://issues.apache.org/jira/browse/SHIRO-361 (and SHIRO-360, SHIRO-351)
and let me know your thoughts.

I'd like to get this in for 1.3 in one form or another.
-Brian