webapp: add secret_key_base to config

This replaces the secret_token from rails 4.1 on.

Both are used for securing cookies in the browser. The secret_key_base will also encrypt the cookies while the token will only sign them.

Keeping the token in there for now allows us to migrate existing sessions / cookies to the new secrets. We can remove it in the next version once all providers have run with secret_key_base for a while.