If SessionRepositoryRequestWrapper.commitSession() is invoked twice
when a new session is created, then CookieHttpSessionStrategy will
add the same cookie twice. A couple examples of how this could happen:
* The response is committed and
SessionRepositoryResponseWrapper.onResponseCommitted() invokes
SessionRepositoryRequestWrapper.commitSession(). Then the finally
block in SessionRepositoryFilter invokes
SessionRepositoryRequestWrapper.commitSession() again.
* The new session is initialized and an Exception is thrown (i.e.
gh-229). The SessionRepositoryFilter invokes
SessionRepositoryRequestWrapper.commitSession() in the REQUEST
dispatch. Then in the ERROR dispatch SessionRepositoryFilter invokes
SessionRepositoryRequestWrapper.commitSession() invokes it again.
This commit ensures if the same Session is passed into
CookieHttpSessionStrategy multiple times within the same HttpServletRequest
it is only written once by keeping track of the sessions on a request
attribute.
Fixes gh-251