FEATURE: detect when client thinks user is logged on but is not

This cleans up an error condition where UI thinks a user is logged on
but the user is not. If this happens user will be prompted to refresh.

lib/auth/default_current_user_provider.rb

@@ -14,6 +14,7 @@ class Auth::DefaultCurrentUserProvider
   TOKEN_COOKIE ||= "_t"
   PATH_INFO ||= "PATH_INFO"
   COOKIE_ATTEMPTS_PER_MIN ||= 10
+  BAD_TOKEN ||= "_DISCOURSE_BAD_TOKEN"
 
   # do all current user initialization here
   def initialize(env)
@@ -58,7 +59,8 @@ class Auth::DefaultCurrentUserProvider
         current_user = @user_token.try(:user)
       end
 
-      unless current_user
+      if !current_user
+        @env[BAD_TOKEN] = true
         begin
           limiter.performed!
         rescue RateLimiter::LimitExceeded
@@ -69,6 +71,8 @@ class Auth::DefaultCurrentUserProvider
           )
         end
       end
+    elsif @env['HTTP_DISCOURSE_LOGGED_IN']
+      @env[BAD_TOKEN] = true
     end
 
     if current_user && should_update_last_seen?