Add a note about using user_session to PR template

[jmhooper]

Why: So we know to look for proper use of the user_session helper
during PR reviews.

Hi! Before submitting your PR for review, and/or before merging it, please
go through the following checklist:

• For DB changes, check for missing indexes, check to see if the changes
  affect other apps (such as the dashboard), make sure the DB columns in the
  various environments are properly populated, coordinate with devops, plan
  migrations in separate steps.

• For route changes, make sure GET requests don't change state or result in
  destructive behavior. GET requests should only result in information being
  read, not written.

• For encryption changes, make sure it is compatible with data that was
  encrypted with the old code.

• Do not disable Rubocop or Reek offenses unless you are absolutely sure
  they are false positives. If you're not sure how to fix the offense, please
  ask a teammate.

• When reading data, write tests for nil values, empty strings,
  and invalid formats.

• When calling redirect_to in a controller, use _url, not _path.

[tbaxter-18f]

I'm not sure this happens enough to be in the checklist, but it is important to know, and I don't have any ideas for a better place to put it. So +1 from me.

[jmhooper]

I think it could come up more as we start working in the idv code, which stores lots of user data in the session.

[monfresh]

LGTM