Add per-user session timeout setting (under Settings 'Accounts' -> select acc).
There's a small catch-22 with sessions in the sense that we must set the cookie
timeout before we start the session, and thus before we know which user it is,
and thus before we know the preferred maximum session time.
So we set the cookie with a timeout of 86400 (1 day), since we don't really use
the cookie anyway, we use the /api/timeout.php script and the
$_SESSION['last-activity'] and $_SESSION['session_timeout'] variables
This also moves all the session_start() stuff to a single function that is
called only called at two places (in upper layer, not like by sql or file auth)
Settings - Accounts - acc: horizontally align the settings fields.