Security issue with default URL suggestion

[benwhalley]

The current install instructions suggest that people include path("sessions/", include("user_sessions.urls", "user_sessions")), in their urls.py

However without additional work this creates pages which display all active sessions to any users. I think this should be mentioned, and these urls added to the instructions as a separate optional step. These views/urls aren't needed for the operation of the package, and they probably shouldn't be left open as a default.