Make session secure by default

[GuySartorelli]

In https://docs.silverstripe.org/en/developer_guides/cookies_and_sessions/sessions/#cookies there is clear guidance for how to make a session secure - but that should be the default. Developers can then loosen that as needed for their circumstances.

We should tighten this up in CMS 6 - we can't do it sooner than that for BC reasons.

Acceptance criteria

• Session.cookie_samesite configuration property is set to 'Strict' by default
• Session.cookie_secure configuration property is set to true by default
• Documentation is updated to reflect the new defaults, and to say how to loosen them (and an example of an appropriate scenario in which to do that, or if no such scenario is discovered, a warning to not do it unless they're sure they know what they're doing)
• Changelog clearly calls out this change and how to revert it if needed

[lekoala]

just a quick note that in dev mode, having strict and secure cookie can be annoying, so if it's possible to make that the default only for live mode, that would be great :-)

[GuySartorelli]

It's very unlikely we'd have this differ in Dev mode or be only in live mode, for the same reason CanonicalUrlMiddleware will be enabled in all environments by default - it would be annoying for things to work great in Dev but then you deploy and nobody can log in or something.