Add pinning test for SafeCookieData values, and update SafeSessions
middleware comments to match code.

Main comment changes:

- Fix description of cookie structure:
    - Specify hash algorithm (SHA256, not "H")
    - Don't try to describe internals of TimestampSigner; description was
      incorrect in several ways: Did not include string delimiters under
      base64 (there's JSON in there); did not include the actual MAC
      portion. Just describe general effect and shape of output.
    - Add missing trailing pipe delimiter in signed data hash input
- Use phrase "intermediate key" rather than the less familiar term "usage
  key"