Easy to trigger invalid session

[fungc-io]

Problem

It's easy to trigger the "Direct Access disallowed" in the web apps for example, user quit and reopen the mobile browser. They will see a cryptic message

Direct access to this page is disallowed

This page can only be accessed via the authorization endpoint.

Proposed change

1. Change the message to a more user-friendly one
   1. To be handled in DEV-350 : Improve error page for CSRF Error page​
2. Switch to a Max-Age cookie of 5 minutes. Each request will extend the age by 5 minutes.

Please also research if giving up session cookie is ok security-wise