Don’t auto-start session

Introduce the Authentication class, which is constructed on-demand rather than as soon as any script is loaded (unlike the former oauth.php). This is important because the initialization initiates the OAuth authentication and writes the token in the session – which starts the session, often totally unnecessarily. The totally unnecessary cases include the API, which is called from Gerrit by lots of people who don’t even know what Patch Demo is, but still get the session cookies. The same session cookies also fill the backend disk, to the point that it ran out of inodes.

Closes #601 (closed)