fix some more session weirdness by deleting loggedin cookies instead of piling them up on top of each other

timeout anonymous sessions earlier, to stop the session table getting massive. And fix the inevitable stupid bug which crept in

stop using temporary cookies for logged in users and set a timeout instead. Sessions should now timeout after 48 hours of inactivity, or 8 days since authenticating, whichever comes first. Also fix a bug where we tried to delete users sessions before actually figuring out who they were which stopped logout functioning correctly

- Begin to stop it being so logout happy for ordinary users who aren't doing anything particularly sensitive on the site by keeping track of when a user was last asked for credentials
- Don't continue to use the same session identifier once a user is logged in; it's likely been sent insecurely
- Mark session cookies as "SSL only" once logged in
- Automatically bump users from HTTP to HTTPS for all requests whilst they're logged in