Preference for x-h3-session instead of a cookie

[TheBrenny]

Describe the bug

The docs mention that the H3 server has a preference for x-h3-session over the h3 cookie. Given that cookies can have security controls wrapped around them (implemented by browser vendors) it might be safer to prefer the cookie instead? This way there's another barrier stopping session hijacking.

Additional context

Similar to #977

[pi0]

The x-session header support is write-only. h3 built-in useSession does not send session value as a header, but only as a secure/http-only set-cookie header for the browser to store.

It is solely up to the implementor if they decide to alternatively send session value as an HTTP header in cases where cookie flow is not working for them (in this case, they might also decide on an alternative session retrieval/store mechanism).

In short, h3's default and recommended behavior is to use HTTP-only secure cookies. Supporting or preferring x-h3-session header does not weaken security unless the implementor stores or transfers session value in an insecure manner.