refactor(base): decompose initSession() into focused private helper methods

[joshtrichards]

• Resolves: #

Summary

This PR refactors OC::initSession() out into smaller, focused private helpers to improve readability and testability. No behavior is changed beyond several fixes I judged low-risk/high confidence (noted below).

Bug/robustness fixes included

• Session cookie deletion now includes the configured domain. Previously omitted the domain, meaning the cookie might not be cleared on instances with a configured cookie_domain. Also used a hardcoded -1 expiry. Now uses session_get_cookie_params() to match the original cookie's path and domain, and a standard $now - 3600 expiry.
• DAV bypass no longer reads $_COOKIE directly. $_COOKIE['nc_session_id'] replaced with $request->getCookie('nc_session_id') for consistency and testability.
• LAST_ACTIVITY validation hardened. Non-numeric and non-positive values are now rejected before the timeout comparison, preventing unintended session invalidation on corrupt session data. (Aside: We may want to add debug level logging when this happens I guess so there's at least some chance of discovering it in the wild).

Known follow-up (not in this PR)

• catch (Exception $e) in createWrappedSession() should probably be widened to \Throwable — noted with a TODO comment for now

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)
• Labels added where applicable (ex: bug/enhancement, 3. to review, feature component)
• Milestone added for target branch/version (ex: 32.x for stable32)

AI (if applicable)

• The content of this PR was partly or fully generated using AI