For project import purposes, GitLab may store third-party
access tokens in the session cookie. When an admin impersonates
another user, the session is not totally unique so we should
clear out any access tokens both when starting and stopping
impersonation. This prevents inadvertently using the wrong
token in the wrong context.

Changelog: security