feat: remove login session cookie

[hperl]

Related issue(s)

Checklist

• I have read the contributing guidelines.
• I have referenced an issue containing the design document if my change
  introduces a new feature.
• I am following the
  contributing code guidelines.
• I have read the security policy.
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got the approval (please contact
  security@ory.sh) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature
  works.
• I have added or changed the documentation.

Further Comments

[codecov]

Codecov Report

Attention: 10 lines in your changes are missing coverage. Please review.

Comparison is base (f0501d2) 76.15% compared to head (5cc8fa8) 75.90%.
Report is 5 commits behind head on master.

❗ Current head 5cc8fa8 differs from pull request most recent head e2922c4. Consider uploading reports for the commit e2922c4 to get more accurate results

Files	Patch %	Lines
consent/csrf.go	84.84%	2 Missing and 3 partials ⚠️
consent/strategy_default.go	78.57%	2 Missing and 1 partial ⚠️
persistence/sql/persister_consent.go	94.59%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3667      +/-   ##
==========================================
- Coverage   76.15%   75.90%   -0.26%     
==========================================
  Files         133      134       +1     
  Lines       10044    10075      +31     
==========================================
- Hits         7649     7647       -2     
- Misses       1878     1912      +34     
+ Partials      517      516       -1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[aeneasr]

First pass - this looks good. Let's see what the CI has to say!

I assume the cookie is still going to be set after the consent challenge has been accepted, correct? It's simply not needed during the login/consent dance (which was previously the case)

[hperl]

First pass - this looks good. Let's see what the CI has to say!

The CI is very excited about this change ;)

I assume the cookie is still going to be set after the consent challenge has been accepted, correct? It's simply not needed during the login/consent dance (which was previously the case)

Yes, the final session cookie gets written here:

hydra/consent/strategy_default.go

Lines 480 to 492 in e2922c4

	// Not a skipped login and the user asked to remember its session, store a cookie
	cookie, _ := store.Get(r, s.c.SessionCookieName(ctx))
	cookie.Values[CookieAuthenticationSIDName] = sessionID
	if session.RememberFor >= 0 {
	cookie.Options.MaxAge = session.RememberFor
	}
	cookie.Options.HttpOnly = true
	cookie.Options.Path = s.c.SessionCookiePath(ctx)
	cookie.Options.SameSite = s.c.CookieSameSiteMode(ctx)
	cookie.Options.Secure = s.c.CookieSecure(ctx)
	if err := cookie.Save(r, w); err != nil {
	return nil, errorsx.WithStack(err)
	}