luci-base: improve login/logout handling

luci-base: improve login/logout handling

Redirect to the canonical url after login and redirect to an url without
security token if the session expired. Also make sure that the login page
is served with status code 403, not 200 to give ajax calls a chance to
detect expired sessions.

Signed-off-by: Jo-Philipp Wich <jow@openwrt.org>