The default cookie name koa:sess contains :, which is not a valid token character in accordance with RFC6265 and RFC2616. Although most web browsers and servers allow this, it causes problems in some more strict environment such as spray.

Would you consider remaining it? If so, should we take backward compatibility into account?