Rather than support the fiddly matrix of possiblities when a user
may not have a session with the application but has a session with
the identity provider, borrow the newer "Goldilocks" API design from
upstream where the application is responsible for its own session
and the BrowserId implementation is less stateful.