GitLab 11.2 limited the time-to-live (TTL) of unauthenticated sessions
via https://gitlab.com/gitlab-org/gitlab/merge_requests/6586 using
`before_action` in `ApplicationController`. However, this broke OAuth2
logins, which set the `current_user` **after** a login is successful, so
we moved it to an `after_action` in
https://gitlab.com/gitlab-org/gitlab-foss/merge_requests/21144. However,
`after_action` isn't called if a exception is raised in the request
cycle. Thus, in some situations, TTLs weren't always being set to a
short value.

This commit adds the TTL limiting to the Devise Failure App, which is
run anytime the user is redirected to the sign-in page.

Relates to
https://gitlab.com/gitlab-com/gl-infra/infrastructure/issues/8247