refactor: update session cookie options and improve login view authentication flow

- Revised SameSite attribute for session cookies to clarify its behavior in documentation.
- Streamlined cookie clearing logic in the authentication route by utilizing `getSessionCookieOptions()`.
- Enhanced the login view to support aborting server checks, improving responsiveness during component unmounting.
- Ensured proper handling of server check retries with abort signal integration for better user experience.

apps/server/src/lib/auth.ts

@@ -262,7 +262,7 @@ export function getSessionCookieOptions(): {
   return {
     httpOnly: true, // JavaScript cannot access this cookie
     secure: process.env.NODE_ENV === 'production', // HTTPS only in production
-    sameSite: 'lax', // Sent on same-site requests including cross-origin fetches
+    sameSite: 'lax', // Sent for same-site requests and top-level navigations, but not cross-origin fetch/XHR
     maxAge: SESSION_MAX_AGE_MS,
     path: '/',
   };

apps/server/src/routes/auth/index.ts

@@ -233,10 +233,7 @@ export function createAuthRoutes(): Router {
     // Using res.cookie() with maxAge: 0 is more reliable than clearCookie()
     // in cross-origin development environments
     res.cookie(cookieName, '', {
-      httpOnly: true,
-      secure: process.env.NODE_ENV === 'production',
-      sameSite: 'lax',
-      path: '/',
+      ...getSessionCookieOptions(),
       maxAge: 0,
       expires: new Date(0),
     });

apps/server/tests/unit/lib/auth.test.ts

@@ -277,7 +277,7 @@ describe('auth.ts', () => {
       const options = getSessionCookieOptions();
 
       expect(options.httpOnly).toBe(true);
-      expect(options.sameSite).toBe('strict');
+      expect(options.sameSite).toBe('lax');
       expect(options.path).toBe('/');
       expect(options.maxAge).toBeGreaterThan(0);
     });