Add an authentication session.

This requires another change to the `key` table.  The `set_id` column
has been removed, and in its place is a `session` key.  This column is a
JSON column and holds all session values.

Note there are really two sessions that can be used.  A cookie session
(for this the Mojolicious session is used) or a database session. Which
is used is determined by the `manage_session_via` course environment
setting.

The database session works by saving a hash in the stash key named
'webwork2.database_session'.  This hash is saved to the database in the
`after_dispatch` hook.  This means that regardless of which session is
used, session values can be set anytime after the session is created in
authentication and before the `after_dispatch` hook is called. That is
pretty much at anytime in a content generator module. Do not directly
use the `Mojolicious::Controller::session` method (which will only set
cookie session values) except in the authentication modules.  Instead
call the `WeBWorK::Authen::session` method which takes care of setting
the values for the correct session type (database or cookie).

One value the session now holds is what the `set_id` column stored
before.

In addition proctor authentication is completely reworked.  Instead of
the hack to use a separate proctor key, session values are used.  There
are some additional security measures implemented to make it harder for
a student to hijack the session and gain access to a test after a
proctoring session without having submitted the test as observed
in openwebwork#2243 and openwebwork#2244.  First, the proctor username and password (and the
submit button) must come from a POST request.  Parameters from a GET
request are ignored for these things.  It is a little harder to
construct a POST request than a GET request. Second, the data saved in
the session is specific to the set and version.  So it is not possible
for a student to open a new version of a test anymore, only to regain
access to the version that was being worked. Third, the proctor_user is
no longer saved in a hidden field in the GatewayQuiz form.  If proctor
authorization has been granted, then the authorization is saved in the
session, and so the proctor_user is not needed.

Some of the derived authentication modules will need some changes to
work with this.  Of course the LTIAdvantage, LTIAdvanced, and Proctor
modules have already been changed and tested.  Looking at the LDAP and
CAS code, it seems that they should still work with this, but I can't
test those.  Most likely Cosign, Moodle, and Shibboleth will need
changes.  I don't know if anyone still uses the Moodle module. They
really shouldn't, and should use LTI instead.  I think that module
should be deleted.

lib/Mojolicious/WeBWorK.pm

@@ -172,6 +172,7 @@ sub startup ($app) {
 			$SIG{__WARN__} = $c->stash->{orig_sig_warn} if defined $c->stash->{orig_sig_warn};
 
 			if ($c->isa('WeBWorK::ContentGenerator') && $c->ce) {
+				$c->authen->store_session if $c->authen;
 				writeTimingLogEntry(
 					$c->ce,
 					'[' . $c->url_for . ']',

lib/WeBWorK.pm

@@ -240,7 +240,7 @@ async sub dispatch ($c) {
 			# we need to also check on the proctor.  Note that in the gateway quiz
 			# module this is double checked to be sure that someone isn't taking a
 			# proctored quiz but calling the unproctored ContentGenerator.
-			if ($c->current_route =~ /^proctored_gateway_quiz|proctored_gateway_proctor_login$/) {
+			if ($c->current_route =~ /^(proctored_gateway_quiz|proctored_gateway_proctor_login)$/) {
 				my $proctor_authen_module = WeBWorK::Authen::class($ce, 'proctor_module');
 				runtime_use $proctor_authen_module;
 				my $authenProctor = $proctor_authen_module->new($c);
@@ -251,6 +251,10 @@ async sub dispatch ($c) {
 					await WeBWorK::ContentGenerator::LoginProctor->new($c)->go;
 					return 0;
 				}
+			} else {
+				# If any other page is opened, then revoke proctor authorization if it has been granted.
+				# Otherwise the student will be able to re-enter the test without again obtaining proctor authorization.
+				delete $c->authen->session->{proctor_authorization_granted};
 			}
 			return 1;
 		} else {