Improved cookie based auth

[joepio]

Current implementation of cookie based auth #241 solves the most important issue (being able to view private images), but it still needs some improvements:

• Cross domain authentication (using cookies?) #278
• Signed authentication should include expiration date. Otherwise, the signature / cookie can be re-used by malicious actors outside of the expiration date. Use expiration date in authentications atomic-server#526
• Use cookie authentication for file uploads, so we can get rid of signing individual HTTP requests. Note that this currently works on same-origin situations, but not cross.

[rescribet]

Cross origin cookies can't be set from JavaScript by design (major security risico), from what I can see only subdomains are a possibility. Proxying images through your own server seems like an easy solution.

By far the simplest way to invalidate authentication is to set a minimum timestamp and reject everything earlier. Though just adding an expiration is more robust.