User sessions have been added. In summary when a user logs in a new session is created
(and persisted in the model). The identity cookie as well as all tokens/refresh-tokens are
associated with a session. When a user logs out the session is invalidated (removed from
the model), which invalidates the identity cookie and all tokens/refresh-tokens.
There's two related issues left to do:
* Make sure adapters only log out a specific session (if LoginAction contains a session
id)
* Allow a user to log out all sessions through the account management console
Also, we may want some mechanism to retrieve the status of a session from applications.
This could be a REST endpoint, or the crazy iframe technique from OpenID Connect. I think
this can be postponed to after 1.0 though.