Decouple ChronologyProtector from user sessions
* It now works for users without using sessions.
Sessions should not be cluttered with things
unrelated to authentication and tokens.
* Public services doing api.php requests on behalf
of a users only need to set XFF headers (as normal)
for position wait logic to trigger. They can opt out
of ChronologyProtector via a new HTTP header
"ChronologyProtection: false".
* Requests across subdomains, such as the SUL2 handshake
for CentralAuth on account creation, now have position
wait logic applied. This helps avoid anomolies were a
row just written in the last request may not be seen.
* Use merge() to avoid rolling back master positions if
the user has multiple tabs open and doing writes at once.
* $_SESSION global state is gone from ChronologyProtector.
* Cleaned up post-send LBFactory::shutdown() logic for
avoiding master position writes with an explicit flag.
* Use 'replication' debug log group in more places.
Bug: T111264
Change-Id: Ib25d05994d62b25c2f89e67b7f51009c54f4bca8