sessionKey for SessionStateStore depends on OAuth hostname

[joh-klein]

I know, that's what the code says anyway.
Couple of questions: Why? :)
My Issue: since the key is session independent (by design) it is always generated by the last user, that is trying to log in. If the OAuth URL changes between users (which it does in my scenario) it is possible, that the key changes for a slow user (when another user tries to login before the first user is successfully logged in) and thus the state can't be validated.

Now, I know I can set the sessionKey to a fixed value, but I was wondering, why you are generating it from something, that can potentially change between users.

PS: All this insight was made possible by the PR #93 which finally explained all the different options! Thanks for that!