This addresses a vulnerability where there was no `X-Frame-Options` header
which could potentially allow click jacking. This adds the
`X-Frame-Options: SAMEORIGIN` header so it will remove any chance of click
jacking. According to Mozilla Developer Docs:
```
SAMEORIGIN
The page can only be displayed in a frame on the same origin as the page
itself.
```

* Fix attachments not sticking on new dynamic form entry
* Fix attachments not sticking on thread post validation error
* Fix missing inline images in FAQ article viewing
* Fix missing inline images in FAQ article printing
* Fix crash rendering sidebar in staff faq view with attachments
* Rewrite GenericAttachments to be an ORM object
* Port CannedResponse to ORM
* Fix attachments not being displayed when editing a FAQ article
* Fix squirly empty blue box on faq articles with no attachments

Also include
  * username validation -- no spaces or weird chars
  * no longer base64 encoded sha1-hex hash for CSRF token
  * refresh login page every two hours to keep session active

Uses a seven step procedure:
  1. (user) Fails to login twice or more
  2. Clicks the 'Forgot my password' link on the login form
  3. Submits the username or email address and triggers a password-reset
     email
  4. Clicks the link in the email and is directed back to the reset page
  5. Enters the username or email again and is logged in
  6. Password change is forced, but current password is not required
  7. Password is updated, user can continue the session without
     authenticating again