We are already using sha256 hashes for new log-ins on master. This diff makes us convert existing log-ins (existing row in the MariaDB cookies table) to sha256 hashes.

We can't recalculate the hash without the "cookie password", so we'll do this when the user sends a request in updateCookie.

It's safe to call Viewer.cookieHash and Viewer.cookiePassword in updateCookie, since updateCookie is only called for real, authenticated requests (HTML website, JSON responder, or WebSocket). updateCookie does not appear to be called with a bot or script viewer anywhere in the codebase.

The cookie itself (the one we send to the client) doesn't need to change, since it doesn't include the hash.

Was tested in combination with preceding diff:

1. Log out on the web app
2. Check out a version of master with 397b4542fa7b38d8468038d74f3de84969f9dc36 and 12d02949bb4bb44a129163def1a7a056a7791b74 reverted
3. Log back in on the web app
4. Confirm that I have a bcrypt hash by running SELECT * FROM cookies ORDER BY last_used DESC LIMIT 1 in MariaDB console
5. Close web app tab, kill keyserver, and check out master + D9563 + this diff
6. Open web app tab again
7. Confirm that I have a sha256 hash by rerunning query from step 4
8. Confirm that the cookie ID is the same between steps 4 and 7