Feature, separate HttpOnly cookie attribute APP_COOKIE_HTTPONLY

[localnerve]

What does this PR do?

• Adds APP_COOKIE_HTTPONLY env variable to govern the setting of the app cookie HttpOnly attribute separately from the Secure attribute (still set by APP_COOKIE_SECURE). APP_COOKIE_SECURE now only effects the Secure cookie attribute alone and not also the HttpOnly attribute.
• Fixes asymmetric SameSite discrepency when APP_COOKIE_SECURE=false and SameSite is LAX. (prior code kept Delete as SameSite=None, causing mismatch and non-deletes on client side).
• Fixes the testSuite to execute without crashing after prior API updates that result in correct err and nil responses (see test suite for updates, pretty minor, but necessary to keep test suite functional).

Which issue(s) does this PR fix?

This does not directly address an issue. This allows webdevs to run authorizer instances in a test environment without setting up Https. This is done by APP_COOKIE_SECURE=false, and with this PR, now without disabling HttpOnly cookie attribute.
Why? WEBKIT CLIENT TESTING
This allows test and application code to run normally (expecting HttpOnly cookies) while allowing webkit clients to receive data without setting up Https proxies and further complicating the test environment. Webkit only allows cookies to be stored over non-TLS connections with Secure attribute disabled. This update allows webdevs to test with webkit clients without setting up TLS proxies on localhost like other browsers (firefox, chromium).

If this PR affects any API reference documentation, please share the updated endpoint references

This PR adds another undocumented Environment Variable (alongside APP_COOKIE_SECURE) APP_COOKIE_HTTPONLY. This allows APP_COOKIE_SECURE to be disabled without effecting the HttpOnly attribute.
This PR adds makefile test make test-debug and documentation in CONTRIBUTING.md was updated to reflect this. I had to use this to debug/fix the existing tests.