Separate session management from PhabricatorUser

Summary: Ref T4310. Ref T3720. Session operations are currently part of PhabricatorUser. This is more tightly coupled than needbe, and makes it difficult to establish login sessions for non-users. Move all the session management code to a `SessionEngine`.

Test Plan:
  - Viewed sessions.
  - Regenerated Conduit certificate.
  - Verified Conduit sessions were destroyed.
  - Logged out.
  - Logged in.
  - Ran conduit commands.
  - Viewed sessions again.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T4310, T3720

Differential Revision: https://secure.phabricator.com/D7962

src/applications/base/controller/PhabricatorController.php

@@ -35,20 +35,12 @@ abstract class PhabricatorController extends AphrontController {
     } else {
       $user = new PhabricatorUser();
 
-      $phusr = $request->getCookie('phusr');
       $phsid = $request->getCookie('phsid');
-
-      if (strlen($phusr) && $phsid) {
-        $info = queryfx_one(
-          $user->establishConnection('r'),
-          'SELECT u.* FROM %T u JOIN %T s ON u.phid = s.userPHID
-            AND s.type LIKE %> AND s.sessionKey = %s',
-          $user->getTableName(),
-          PhabricatorUser::SESSION_TABLE,
-          'web-',
-          PhabricatorHash::digest($phsid));
-        if ($info) {
-          $user->loadFromArray($info);
+      if ($phsid) {
+        $session_user = id(new PhabricatorAuthSessionEngine())
+          ->loadUserForSession('web', $phsid);
+        if ($session_user) {
+          $user = $session_user;
         }
       }