Changes the old coder_devurl_session_token cookie to be two new cookies: coder_path_app_session_token and coder_subdomain_app_session_token. This avoids cases where the cookie for both europe.dev.coder.com and .europe.dev.coder.com are both sent to Coder, but we can only set europe.dev.coder.com on path apps.

Changes the signed app token generating and comparing code to always append / to the base path to avoid generating two signed tokens when redirecting from /@user/workspace/apps/app to /@user/workspace/apps/app/ (trailing slash redirect).

We will also now try to validate up to 4 signed app token cookies in the request in case multiple cookies are specified by the browser. Browsers will send all cookies with the same name but different paths, not only a single one with the most specific path.

TODO:

• Test manually in a browser
• Add tests for not being able to use the incorrect cookie on the wrong access method
• Add tests for supplying multiple signed app token cookies in a request and them all being tried (up to 4)

Closes #9109