httpOnly (invisible to JS) and secure (https only) are now used. In
order to update existing users without requiring them to
re-authenticate, each request sets those properties on the cookie.
Finally, the maxAge is now 30 days and is also updated on each request.
i.e. it's a rolling 30 days.
Co-authored-by: Oliver Eyton-Williams <ojeytonwilliams@gmail.com>