fix cookie: validate Path/Domain/SameSite to block header injection

[netliomax25-code]

1. The cookie name and value are validated on construction, but the Path, Domain and SameSite attributes are set through SetPath/SetDomain/SetSameSite with no validation.
2. AppendToString writes those attributes verbatim into the Set-Cookie header, so a CR/LF in one of them injects a response header (HTTP response splitting) and a ';' injects an extra cookie-av.
3. They are reachable server side through HttpResponse::SetCookie and on the client side through Cookie::FromString when parsing an upstream Set-Cookie.
4. Reject control characters and ';' in those three setters via a shared ValidateCookieAttribute, matching the existing name/value checks, plus a regression test.

Repro before the patch: a cookie with SetPath("/\r\nSet-Cookie: admin=true") serializes to a Set-Cookie line carrying the raw CRLF, which splits the response.