We can't make the cookie `HttpOnly` because we're setting it from
Javascript, but I'm not sure it's worth the trouble to redesign that:
`JSON.parse(localStorage.account).token` gives you the token anyway,
hiding the cookie from JS won't offer much protection.

At least we can mark is `Secure` (meaning, only send it over HTTPS)
and _delete it on logout_ (it wasn't!)