Improved docs for Signer to encourage more secure patterns.

[spookylukey]

After seeing a colleague use Signer/TimestampSigner without the salt argument passed, I looked at the docs and found that they do not really encourage its use. This is unfortunate, because it really is required to avoid hacks once you have more than one use of it in your application. The best way to ensure correct usage is to always add the argument.

While I was there, I took the opportunity to explain and encourage better patterns, and updated the get_signed_cookie and set_signed_cookie docs accordingly.

Passing salt to set_signed_cookie is not quite as necessary, because it already uses the key value as a salt, but I think it is still helpful. In a large project, it's possible that the same key could be validly used for set_signed_cookie(key) but with different purposes - for example they might use a different path argument, so the cookies wouldn't clash at the browser level, and therefore they wouldn't notice the clash.