Add plug to handle invalidated Pow session tokens

[danschultzer]

Exploring a potential resolution to pow-auth/pow#356 here.

The above issue exposed a variety of issues that I've squashed in Pow. The last one I can identify is not a technical issue in Pow, rather it's UX. The problem occurs if I let the session expire, and then open a bunch of tabs at the same time. The first request will successfully use the persistent session token, while all subsequent requests will fail since they use the old cookie value. Thus I've one tab where I'm authenticated, and the rest are not.

This PR adds a plug that stores a session id or persistent session token when they are rolled. If a request is unauthenticated and a session id or persistent session token exists in the request, the token will be looked up in the invalidated session cache. The tokens are only stored for 60 seconds (should probably be much less).

Though there is no test suite, I added the test for the plug for good measure. I'll comment on pow-auth/pow#356 to go more in depth regarding this approach, and conclusions.

I've tested this locally, and can no longer trigger the issue.

Before I commit to this, I want to explore if some upstream changes could make this easier, and I need to ensure that new sessions can't be created to prevent vulnerability.

[danschultzer]

I'm waiting with this one till there are no longer any bug reports with sessions being entirely lost (they may be lost temporarily but upon reload should work again). Otherwise this will obscure underlying issues.