Metrics cover specifically the authentication workflow.

The sess.UserInfo is still unset at that stage, use valid information
instead. This fixes a bug where keys were not being unlocked for users.

Just to cover edge cases when sessions are about to expire.

Makes the authentication cookie quite shorter.

This prevents an error where the keystore will have invalid keys even
in presence of a valid SSO ticket (because the parent auth session has
expired already).

This avoids browsers messing up the session state (given that /login
calls session.Reset) with requests to various kinds of well-known URLs
that might not exist.

Also add an integration test for a server with non-nil URL prefix.

Fix a pretty fundamental error where group memberships could not be
verified. Also adds tests to ensure this does not happen again.

Refactor the login handler

See merge request !6

Session handling no longer depends on gorilla/sessions.

Drop gorilla/sessions in favor of using gorilla/securecookie
directly (we use a single cookie anyway). Since securecookie already
has its own expiration timestamp, we can drop some stuff from httputil
as well.

There is no need for the complex gorilla/sessions machinery for what
is basically a single cookie, so we switch to using
gorilla/securecookie directly.

There is no point in using the complex gorilla/sessions machinery for
storing a simple long-term cookie, just use gorilla/securecookie directly.

If we don't, they will trigger the login handler and invalidate the
current session (if any), which prevents the user from being able to
log in.

Being consistent across runs avoids generating spurious git changes.