generate a persistent secret for cookie encryption at first server run.  still in pursuit of zero-config and as stateless as possible.