todo:
- handle iphashpermlevel to not send IP for users without perms (separate room? seems easiest)
- make sure lastpostId, reply adding, etc doesnt get all fucked up because of multi threads on one page
authenticated: same as `user != null`
user.authLevel, user.ownedBoards, user.modBoards: refreshed by sessionrefresh on
each request anyways, so it doesn't make much sense to store them in the session
store too.