OpenID Connect: refreshing the cookie

[scr4tchy]

Hi,

When #389 was implemented, it seems that the RefreshSessionIfNeeded function's definition is dummy? Why would we not use the refresh token instead and actually refresh the session?

Right now, if cookie-refresh is set, the dummy function is executed, and the code proceeds to ValidateSessionState (saveSession && !revalidated), which throws the ugly removing session. error validating and instantly de-authenticate.

In other words, as of now, if -cookie-expire=24h and -cookie-refresh=1h, instead of having at least 24h worth of session, or infinity if the page is visited every < 24h, we get dope 1h long sessions.

/cc @ericchiang

[JoelSpeed]

I believe #621 solves this issue?