Validate logins, and simplify email password resets

Summary:

• There are some recent reports of login issues, see T755 and T754. I'm not

really sure what's going on, but this is an attempt at getting some more
information.

• When we login a user by setting 'phusr' and 'phsid', send them to

/login/validate/ to validate that the cookies actually got set.

• Do email password resets in two steps: first, log the user in. Redirect them

through validate, then give them the option to reset their password.

• Don't CSRF logged-out users. It technically sort of works most of the time

right now, but is silly. If we need logged-out CSRF we should generate it in
some more reliable way.

Test Plan:

• Logged in with username/password.
• Logged in with OAuth.
• Logged in with email password reset.
• Sent bad values to /login/validate/, got appropriate errors.
• Reset password.
• Verified next_uri still works.

Reviewers: btrahan, jungejason

Reviewed By: btrahan

CC: aran, btrahan, j3kuntz

Maniphest Tasks: T754, T755

Differential Revision: https://secure.phabricator.com/D1353