Harden session cookie security with configurable cookie flags

backend/app/routers/auth.py

@@ -70,9 +70,9 @@ async def login(
     response.set_cookie(
         key=_COOKIE_NAME,
         value=signed_token,
-        httponly=True,
-        samesite="lax",
-        secure=False,  # Set to True in production behind HTTPS
+        httponly=settings.session_cookie_httponly,
+        samesite=settings.session_cookie_samesite,
+        secure=settings.session_cookie_secure,
         max_age=settings.session_duration_minutes * 60,
     )
     return LoginResponse(token=signed_token, expires_at=session.expires_at)