Drop gorilla/sessions in favor of using gorilla/securecookie
directly (we use a single cookie anyway). Since securecookie already
has its own expiration timestamp, we can drop some stuff from httputil
as well.

The login handler is now a simpler, standalone http.Handler
wrapper. The separation between the SSO application and the login
handler is now fairly complete.

The login handler no longer forces the user to a specific workflow via
session cookies, but it works on a request-by-request basis instead,
which makes the "back" button works as expected (allowing the user to
bail out of a broken 2FA process, for example).

Session handling has been simplified as well: there is a single
session for authentication and login state, which should remove the
opportunity for session synchronization errors.

The sso service endpoint should send the proper CORS headers and
respond to OPTIONS (for CORS prefetches) so that XmlHttpRequests on
authenticated sites can (partially) work.

First step towards letting users pick the method they prefer.

Simplifies the device manager code as we don't have to duplicate the
IP/network matching logic there.

Uses the clientutil.Backend abstraction for the keystore client API.