refactor(todo): refine login redirect and extra csp config
- refine login redirect when session expires, invalidate xsrf cookie so that cors preflight options request works properly at the mdsp level
- document extra csp settings required for login redirects when user session token expires