We can improve the experience for authentication handler plugin devs (like in https://answers.atlassian.com/questions/275306/xsrf-errors-in-repo-creation-using-custom-httpauthenticationhandler) by doing a couple of things:

1. Add info to https://developer.atlassian.com/stash/docs/latest/reference/plugin-module-types/http-authentication-handler.html about the authentication "workflow" in Stash, and the various cookies we use (JSESSIONID, _atl_remember_me, _atl_token, ...) and how they play into into that workflow. This will help plugin devs in debugging when their handler doesn't quite work.
2. Add more debug logging around session creation and invalidation, if possible.