Use permanent rather than session cookies

This switches the Flask cookie to be "permanent" rather than tied to the browser session. The existing login timeout is unaffected - this merely changes the lifetime of the session itself rather the login stored within it.

However this change does allow longer login timeouts to be set, which will persist when browser windows are closed.

Fixes #141 (closed) (please see this issue for more discussion)