Add session design

[carmenlau]

In order to make reader easier to follow maybe we could

1. Add TOC in overview to list different sections?
2. Should we have section to highlight changes? For user who used skygear already, after reading the whole documents they may not realize that
   • api key is removed. we use client id for auth endpoint and api key is no required for other authorized request(e.g. update password, settings...etc). For user who used api key to take down the app, they should implement their own logic to force update app.
   • Custom token requires setup domain for auth gear too. We suggest user use session cookie for web app which is more secure, so custom domain with same etdl+1 domain for auth gear is required. That also implies that same etdl+1 domain cannot hold 2 app with different sessions

[louischan-oursky]

Combined here https://github.com/SkygearIO/features/pull/425