You really dont want strict same site cookies for the most part. I get that its "more secure" but as soon as someone clicks a link from somewhere else, you open it without being logged in.