Client library should authenticate user for each new HTTP session

[gnulib]

Currently authentication is based on JESSIONID cookie, which means user is not authenticated upon new HTTP session as long as cookie is valid.

We either need to implement an openid access token validation from cookie for each new HTTP session, or implement a non-cookie based authentication that will not persist with cookie.

This is needed because user's role may change between session, e.g., user not part of authorized users for application's tenant.

[gnulib]

So, cookies are being sent with no-cache, and get cleared by the browser when shutdown. However, as long as browser is open (even for other HTTP sessions), cookie stays and is re-used if browser goes back to website. Hence, CSRF protection is in place for any state change.

We may still want to implement token validation for each new HTTP session, for the case when user's role has changed while cookie is not invalidated.