Currently, set_session_attributes can only set custom attributes while start_session can set most. From a security standpoint it would be better if we could set all attributes using the backend api in order to generate sessions more securely and restrict attribute modification through the user-side start_session url.
generate_session_key is called from backend chat initiation portal which has already authenticated the user.
set_session_attributes is called from backend to populate information like description, customer name, etc.
start_session should then NOT allow identity parameters such as customer.name to be altered by the end user which is in control over the start_session call. Also there might be custom attributes that we want to prevent the user to have control over.