sessions: document the 4 timestamps in SessionState

[sporkmonger]

There are 4 timestamps in sessions.SessionState and their names are somewhat confusing, given that you're dealing w/ several things that may be on different expiration schedules, and indeed likely will be. It would be helpful to add additional comments discussing e.g. what RefreshDeadline vs LifetimeDeadline vs ValidDeadline are. I presume that RefreshDeadline is the timestamp at which access token is no longer valid, and that ValidDeadline is for checking whether token is still valid via token verification endpoint. Presumably LifetimeDeadline expiration sends the user back through the IdP auth flow again? But I'm guessing on all of these because the comments don't really say.