CookieSession.refresh should seal session with new refresh token

[timc13]

CookieSession.refresh does not rotate the refresh token. The sealed session that is returned we are expected to set in the cookie still has the original refresh token.

According to https://workos.com/docs/reference/authkit/authentication/refresh-token, the underlying call does issue a replacement refresh token, however it is seemingly not being set in the refreshed session.