Client
======
- When the game starts,
  - Get a session id from the server.

- When the game is won,
  - Send the session id along with the code.

- Every TIMEOUT*0.8 minutes,
  - Ask the server to reset the session's timeout.

Server
======
- When receiving a game start request,
  - Delete all sessions which have timed out.
  - Create a new session.
  - Set the session's start time to now.
  - Set the session's timeout to now + TIMEOUT minutes

- When receiving a game win code,
  - Delete all sessions which have timed out.
  - If the code is incorrect,
    if the session doesn't exists, or
    if the session is too new to be a valid win,
    - Tell the client he won (to hide what is going on),
      but don't record it as a win.
  - else
    - Record the win.
    - Tell the client he won.
  - }

- When receiving a timeout reset request,
  - Set the session's timeout to now + TIMEOUT minutes

- Every so often,
  - Delete all sessions which have timed out.

(The timeout business prevents the database from being filled with old sessions.)