Frontend bug: Don't expose session token in URL

[ChristianSi]

serviceLoginH: The session token seems to be contained in the URL. So if people copy the url from the address bar and send it to someone, they will get the same session. Instead, the session token should be in a cookie.

Note: We will use some SSO protocol here that is not home cooked later; for prototype operations, this is not serious.

See BUG marker in thentos-core/src/Thentos/Frontend/Handlers.hs.