Clear __csrf cookie after logout

[matthew-white]

After a session is created, Backend returns two cookies: __Host-session and __csrf. The cookies expire at the same time as the session, so if a session expires on its own, the cookies will expire as well and be cleared. If the user logs out the session before it expires, then the __Host-session cookie is cleared — but the __csrf cookie is not. I don't think that's a huge deal, but I think it's cleaner to clear both cookies together, which is what this PR does.

What has been done to verify that this works as intended?

Updated tests.

Why is this the best possible solution? Were any other approaches considered?

The change is pretty small.

How does this change affect users? Describe intentional changes to behavior and behavior that could have accidentally been affected by code changes. In other words, what are the regression risks?

This change isn't really user-facing. It's more about cleaning up after logout. I think the risk of regression is low.

Does this change require updates to the API documentation? If so, please update docs/api.md as part of this PR.

I don't think changes are needed. We discourage the use of cookie auth in the API docs, and we don't document the __csrf cookie at all.

Before submitting this PR, please make sure you have:

• run make test-full and confirmed all checks still pass OR confirm CircleCI build passes
• verified that any code from external sources are properly credited in comments or that everything is internally sourced

[alxndrsn]

It's surprising that the cookies are "unset" by setting them to the string null, rather than an empty string. But with the given expiry, the client should delete them immediately anyway 👍