remove http redirect logic from session destroy (updates session routes)

[cainlevy]

In an early prototype of AuthN, I was anticipating more HTTP redirection logic and built SessionsController#destroy accordingly. But AuthN is currently doing well as a pure JavaScript API, and when XmlHttpRequests automatically follow the redirect, unnecessary things happen.

This cleans up a bit. The first step was removing the redirect logic in the controller. The second step was recognizing that this route was a GET only for redirect purposes and should now be a DELETE. The third step was deciding that since the API contract is changing, I may as well properly singularize the /session resource.

fixes #45

[coveralls]

Coverage decreased (-0.009%) to 99.379% when pulling 0aecd1197f73eda9747f5190583b996ab191b291 on logout_api into 3c7e12a1a37bb580d48f6b75067a7fc2b0b9ee96 on master.