CSRF Cookie fixes

- Only set the cookie if it doesn't exist
- Always mark it secure (it was previously getting re-sent as not)
- Check the value against the header even if there was no value (so that
a request that is missing the cookie but should have had one fails).

pkg/schemaserver/subscribe/handler.go

@@ -4,10 +4,9 @@ import (
 	"encoding/json"
 	"time"
 
-	"github.com/rancher/wrangler/pkg/schemas/validation"
-
 	"github.com/gorilla/websocket"
 	"github.com/rancher/steve/pkg/schemaserver/types"
+	"github.com/rancher/wrangler/pkg/schemas/validation"
 	"github.com/sirupsen/logrus"
 )