[!!!][FEATURE] Refactored Session Handling

The AbstractUserAuthentication class handles way too much
of what it should know / do.

For this reason, a new UserSession object which contains
basic information needed for everything belonging to a non-fixated
session, a fixated anonymous session, if a session was evelated,
or if a session has expired, is kept in there.
The "SessionManager" should not be used anymore publically
but slowly dissolve into a SessionBackendManager.

Design goals:
* UserAuth object should not know about session backends
* UserAuth should not store sessionData etc. directly in its own object
* Decouple UserSession info from any properties of UserAuth
* A UserSessionManager deals with the creation and validation of the UserSession objects. No Session Objects can be created etc outside
of this class to maintain persistability
* UserSessionManager also encapsulates ipLocking and the responsible SessionBackend

Final goals to be tackled later:
* Build a user session object from the request object, and not within the UserAuth object
* Session Handling can be accessed outside of UserAuth
* Cookie Handling and Session Handling are separated from UserAuth
* Load Session information from PSR-7 request instead of $_COOKIE

Resolves: #93023
Releases: master
Change-Id: Ia2d8244e433d0f6adf220d443b2c0947f251b5e9
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/66935


Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Oliver Bartsch <bo@cedev.de>
Tested-by: Christian Kuhn <lolli@schwarzbu.ch>
Tested-by: Benni Mack <benni@typo3.org>
Reviewed-by: Oliver Bartsch <bo@cedev.de>
Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Benni Mack <benni@typo3.org>