Use two session cookies for safe and unsafe requests

[danielcompton]

SameSite=strict cookies are only sent for requests from a first-party context. SameSite=lax cookies are sent for first-party requests, as well as for top-level navigations. If you use only a single cookie then it probably needs to be SameSite=lax to support navigating to a site from a third-party site or email link (Gmail wraps all links in a redirect through a URL checker).

I wondered if it could be good for a new option in wrap-session to set and read two kinds of cookies? ring-session-safe; SameSite=lax which would be used for GET/HEAD requests, and ring-session-unsafe; SameSite=strict which would be used for PUT/POST/DELETE/PATCH requests.