pub fn session_cookie(token: &str, cfg: &Config) -> StringExpand description
Build the Set-Cookie value that stores a session token in an HttpOnly, SameSite=Strict cookie.
HttpOnly keeps it unreadable to JS (no XSS exfiltration); SameSite=Strict blocks CSRF; the SPA is
same-origin with the API so the cookie still reaches the media plane (<img>/<video>/HLS).