Add HttpOnly and SameSite attributes to session cookie

[underdarknl]

Harden against XSS, CSRF issues. Ip binding (local lan, arp spoofing) and replaying is still wide open.

[praseodym]

We already set these attributes in the set_default_cookie_properties function:

abacus/backend/src/api/authentication.rs

Lines 93 to 99 in 8235a51

	/// Set default session cookie properties
	pub(crate) fn set_default_cookie_properties(cookie: &mut Cookie) {
	cookie.set_path("/");
	cookie.set_http_only(true);
	cookie.set_secure(SECURE_COOKIES);
	cookie.set_same_site(SameSite::Strict);
	}

Did you find any place where these attributes were not set correctly?

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 91.95%. Comparing base (8235a51) to head (5273100).
⚠️ Report is 4 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2922      +/-   ##
==========================================
+ Coverage   91.93%   91.95%   +0.01%     
==========================================
  Files         390      390              
  Lines       18924    18927       +3     
  Branches     2047     2047              
==========================================
+ Hits        17398    17404       +6     
+ Misses       1428     1425       -3     
  Partials       98       98              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.