Add $wgAuthenticationTokenVersion
This allows for quickly invalidating everyone's session all at once by
changing a single value.
As a side effect, setting this also stops the user_token field from
the database from being served to the user as a cookie.
This mitigates but doesn't completely solve T49490, as it allows for
invalidating all existing sessions and token-cookies but does not help
if the user_token field in the database was leaked.
Bug: T49490
Change-Id: I9d316a6bbb36278d138f39a89125ebb8cc71b28f