Move auth token to HTTPOnly Cookies

Currently, the auth token for the admin page is handled by client side javascript.  This leads to the possibility of (maliciously) injected client side code gaining access to the token.  A better approach would be to generate httponly cookies that can't be accessed directly by client side code.  