Make challenge lifetime browser-enforced

[drubery]

Right now, challenge lifetime is server-enforced. This requires browsers to sign the request only for it to get rejected. We could allow sites to specify challenge lifetime in a couple ways:

• As a parameter in the session config
• On the challenge header

Then the browser would still have to do a network round trip to get a fresh challenge, but it wouldn't waste time on a signing operation.

[sbweeden]

I would suggest including it in the challenge header, since then it can be conveyed in both Sec-Session-Registration and Sec-Session-Challenge response headers.