test(auth): integration tests for full session lifecycle and idle-timeout

Also switches pom.xml to spring-boot-starter-session-jdbc (Spring Boot 4.x
split the session auto-config into a separate starter; spring-session-jdbc
alone does not register JdbcSessionAutoConfiguration).
Adds SpringSessionConfig#cookieSerializer bean to configure fa_session name
and SameSite=Strict (spring.session.cookie.* properties are no longer
supported by the Boot 4.x auto-configuration layer).
Cleans up application.yaml / application-dev.yaml: removes store-type: jdbc
and the unsupported cookie.* keys.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/resources/application-dev.yaml

@@ -1,11 +1,9 @@
 spring:
   jpa:
     show-sql: true
-  session:
-    cookie:
-      # Dev runs over HTTP (port 5173 → 8080); Secure=true would prevent the
-      # cookie from being sent on plain HTTP. Override to false for local dev only.
-      secure: false
+  # spring.session.cookie.secure is no longer a supported Boot 4.x property.
+  # DefaultCookieSerializer auto-detects Secure from request.isSecure().
+  # Direct HTTP in dev → isSecure()=false → cookie sent without Secure attribute.
 
 springdoc:
   api-docs:

backend/src/main/resources/application.yaml

@@ -39,16 +39,11 @@ spring:
             enable: true
 
   session:
-    store-type: jdbc
     timeout: 28800s  # 8 h idle timeout (MaxInactiveIntervalInSeconds)
     jdbc:
       initialize-schema: never  # Flyway owns schema creation (V67)
-    cookie:
-      name: fa_session
-      same-site: strict
-      http-only: true
-      # secure: true is the default when forward-headers-strategy detects HTTPS behind Caddy.
-      # application-dev.yaml overrides this to false for local HTTP dev.
+    # Cookie name, SameSite, and Secure are configured via SpringSessionConfig#cookieSerializer
+    # (spring.session.cookie.* is not supported in Spring Boot 4.x).
 
 server:
   # Behind Caddy/reverse proxy: trust X-Forwarded-{Proto,For,Host} so that