Separate session management from PhabricatorUser

Summary: Ref T4310. Ref T3720. Session operations are currently part of PhabricatorUser. This is more tightly coupled than needbe, and makes it difficult to establish login sessions for non-users. Move all the session management code to a SessionEngine.

Test Plan:

• Viewed sessions.
• Regenerated Conduit certificate.
• Verified Conduit sessions were destroyed.
• Logged out.
• Logged in.
• Ran conduit commands.
• Viewed sessions again.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4310, T3720

Differential Revision: https://secure.phabricator.com/D7962