Oh I forgot to mention what it *doesn't* do - session handling. Over the last year and a half that I've been using it for real sites every day, I just haven't felt the need for that beyond the most basic cookie thing and the database.
If I need something like a session, I've always just done it in the database, with specific table structures for that app. I've considered doing a struct serializer or something, but meh, I like it well enough the way it is now.