When a user changes their identity by passing a url token, if the
token is expired, we currently fall through and would support their
session cookie still. Instead, if an identity change is being
requested, even with an expired token, we will at least prompt for auth,
which will allow the user to log back in as themselves.
This fixes a scenario where you are logged in as someone else and are
unable to click an old link to login as yourself to get back into your
own identity