Reset user session cookie string upon logout

When a user logs out from Mantis, we clear their session cookie string
(i.e. set mantis_user_table.cookie_string column to an empty string).
This ensures that anyone knowing its value is no longer able to login
with it.

On login, after successfully authenticating the user, when setting
the cookies in auth_set_cookies() we check if the cookie_string is
defined in the DB, and if not a new hash is generated and stored.

While not a complete fix for issue 0011296, this does improve the
situation by providing an easy and logical means for users to
effectively invalidate all their previous sessions.

Additionally, using an empty value to indicate an invalidated cookie
string instead of directly generating a new hash makes it easy to:

• identify user records which should be considered as logged out
  (e.g. last_visit older than $g_cookie_time_length)
• invalidate login cookies (set them to '')
  Leveraging this is left for future improvements.

Note: an empty string in the session cookie always triggers an anonymous
login (or sends the user back to login page if anonymous login is
disabled).

Fixes 0027976