This patch adds a way to create a token for an authenticated user which is stored
in the session. When a subsequent request resends this token, the request will be
authenticated automatically without the need for any cookies or credential
rechecking.

The auth token expires with the session. Requesting a new token will invalidate
the old one. Sending a wrong token will result in a 401 and any existing token
will be revoked.

This is currently not used anywhere in the code but can be used for browser
intitiated client software (flash, applets, ...).

Note this is unreleated to the anti CSRF sectoken implementation.

Users who want to make use of this mechanism will probably need to pass the
session id and a valid sectoken in addtion to the authtoken

darcs-hash:20080603193450-7ad00-2f35ddde16a31c4f2699e0e6050b3c4277b2bc64.gz