Closes #772 (closed)
Enables cookie based authentication for endpoints where the signature token is an accepted authentication method. The cookie uses
sameSite=strict to only send the cookie when the call originates from the same domain.
Also fixes some issues with the download functionality, by using headers rather than the (not quite functional)