Right now a user will lose the session if the WebSocket connection dies. Ideally we'd support spurious connection drops and reconnections (e.g. browser tab refreshes) by having a sticky ID by client.
Also consider how this will affect kicked users implemented in #3.
