Configurable session timeouts

[BillMedernach]

The hard coded 3600 second life on session tokens is often problematic when working on tasks that require a longer timeout, such as a long-running local script or working in the console via Holochrome.

This PR allows each role to have a configurable timeout based on a configurable LDAP group attribute. This means an engineer role, for example, could have a 4 hour timeout and a more permissive god role could have something like a 30 minute timeout.

[nathan-clegg]

I'm still unclear on how helpful this will be, since my experience is a lot of refreshes rather than explicit signouts that clearly happen more than every hour. I'd love to be proven wrong though. (Though I might not notice much since I'm so often sre.)