Do not force logout from SessionTimer

[rsutphin]

SessionTimer's current implementation interferes with CAS SSO when there's a timeout. Example scenario:

Applications A and B are protected by the same CAS server, application session timeouts are n, CAS session timeout is 3n.

• User logs into A
• User follows a link to B
• User actively uses B for n + 1 minutes
• User follows a link to back to A

Expected behavior: the user can use A without logging back in. Actual behavior: on detection of the user's timed-out session in A, the user is redirected to /logout. This kills both the application and CAS session, requiring the user to log back in. It also leaves the user on the CAS logout page, rather than the page she was trying to reach.

[rsutphin]

New design:

• Move the SessionTimer middleware above Authenticate
• In SessionTimer, only clear the session. Do not issue a redirect.
• Set a rack environment variable so that modes can detect if a newly-required login is the result of a session timeout.