feat(cookie): prevent aggressive session cookie expiration

[medcl]

What does this PR do

Introduce a threshold-based cleanup mechanism for session cookies. Check the Cookie header size first and only trigger cleanup when it exceeds 6 KB, leaving headroom before the 8 KB browser/server limit. This ensures that:

• 2–3 services on localhost: cookies coexist fine, all sessions survive, no logout
• Many services / cookie bloat: cleanup kicks in to prevent the 8192-byte overflow, expiring foreign session cookies as a last resort

The tradeoff is intentional — you only lose foreign sessions when the alternative would be broken requests from header overflow.

Rationale for this change

Standards checklist

• The PR title is descriptive
• The commit messages are semantic
• Necessary tests are added
• Updated the release notes
• Necessary documents have been added if this is a new feature
• Performance tests checked, no obvious performance degradation