Use secure default for session cookie.

Setting SameSite attribute to 'Strict' protects against CSRF.

src/Http/Session.php

@@ -173,6 +173,13 @@ class Session
         ];
 
         if (isset($defaults[$name])) {
+            if (
+                PHP_VERSION_ID >= 70300
+                && ($name !== 'php' || empty(ini_get('session.cookie_samesite')))
+            ) {
+                $defaults['php']['ini']['session.cookie_samesite'] = 'Strict';
+            }
+
             return $defaults[$name];
         }