Allow validateSession to return a promise

[darkrift]

Locally validating the token is only the first step but the real deal is to know if the server still have that session token active/alive (maybe the server restarted, the session has been killed by some other admin users, etc) so a server call will most likely always be required to determine if the client token is still valid.

Currently the validateSession option must be a pure function that requires an immediate returned value but allowing the returned value to be a promise would allow server validation and fix the described problem.

[austencm]

Agreed. This seems crucial for validateSession to be useful.