Need to maintain genuine login session with authentication interception

[dondi]

The login/logout cycle in Quo has not been fully implemented. Some beats:

• It is possible to go directly to /main (or other pages that presumably require a login) without logging in.
• There is no login session such that a given page cannot tell which user is logged in.
• Web services can be invoked freely without an authentication challenge.

These need to be implemented.

[dondi]

There has been some progress made here, though only on the web app side so far. The web service still needs protection, and for the web app, the protection needs to be smarter (i.e., instead of just spewing 403s, redirects to the login page would be good, or perhaps to a user signup page).