We are already using `sha256` hashes for new log-ins on `master`. This diff makes us convert existing log-ins (existing row in the MariaDB `cookies` table) to `sha256` hashes.
We can't recalculate the hash without the "cookie password", so we'll do this when the user sends a request in `updateCookie`.
It's safe to call `Viewer.cookieHash` and `Viewer.cookiePassword` in `updateCookie`, since `updateCookie` is only called for real, authenticated requests (HTML website, JSON responder, or WebSocket). `updateCookie` does not appear to be called with a bot or script viewer anywhere in the codebase.
The cookie itself (the one we send to the client) doesn't need to change, since it doesn't include the hash.
Depends on D9563