Switch to a simpler session implementation

Drop gorilla/sessions in favor of using gorilla/securecookie
directly (we use a single cookie anyway). Since securecookie already
has its own expiration timestamp, we can drop some stuff from httputil
as well.