Set shorter TTL for all unauthenticated requests

GitLab 11.2 limited the time-to-live (TTL) of unauthenticated sessions via !6586 (merged) using before_action in ApplicationController. However, this broke OAuth2 logins, which set the current_user after a login is successful, so we moved it to an after_action in gitlab-foss!21144 (merged). However, after_action isn't called if a exception is raised in the request cycle. Thus, in some situations, TTLs weren't always being set to a short value.

This commit adds the TTL limiting to the Devise Failure App (https://github.com/plataformatec/devise/blob/master/lib/devise/failure_app.rb), which is run anytime the user is redirected to the sign-in page.

Relates to https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/8247