Set a new random cookie string upon logout

When a user logs out from Mantis, we reset their session cookie string.
This ensures that anyone knowing its value is no longer able to login
with it.

While not a complete fix for issue 0011296, this does improve the
situation by providing an easy and logical means for users to
effectively invalidate all their previous sessions.

Additionally, using an empty value to indicate an invalidated cookie
string instead of directly generating a new hash makes it easy to:

• identify user records which should be considered as logged out
  (e.g. last_visit older than $g_cookie_time_length)
• invalidate login cookies (set them to '')
  Leveraging this is left for future improvements.

Note: an empty string in the session cookie always triggers an anonymous
login (or sends the user back to login page if anonymous login is
disabled).

Fixes 0027976

(cherry picked from commit d8181a548e5131eede5d3b891bec0df68b472ba9)