minor: sessions: set SameSite to Lax when sharable with subdomains is not disabled.

Former-commit-id: d0b15433d5f325f24972669b485be9cf5be6d68a

_examples/file-server/embedding-files-into-app/main_test.go

@@ -54,7 +54,7 @@ func (r resource) loadFromBase(dir string) string {
 	result := string(b)
 
 	if runtime.GOOS != "windows" {
-		// result = strings.Replace(result, "\n", "\r\n", -1)
+		result = strings.Replace(result, "\n", "\r\n", -1)
 	}
 	return result
 }

_examples/file-server/embedding-gziped-files-into-app/main_test.go

@@ -55,7 +55,7 @@ func (r resource) loadFromBase(dir string) string {
 	result := string(b)
 
 	if runtime.GOOS != "windows" {
-		// result = strings.Replace(result, "\n", "\r\n", -1)
+		result = strings.Replace(result, "\n", "\r\n", -1)
 	}
 	return result
 }

_examples/file-server/single-page-application/embedded-single-page-application/main_test.go

@@ -47,7 +47,7 @@ func (r resource) loadFromBase(dir string) string {
 	}
 	result := string(b)
 	if runtime.GOOS != "windows" {
-		// result = strings.Replace(result, "\n", "\r\n", -1)
+		result = strings.Replace(result, "\n", "\r\n", -1)
 	}
 	return result
 }

sessions/sessions.go

@@ -45,6 +45,10 @@ func (s *Sessions) updateCookie(ctx context.Context, sid string, expires time.Du
 	cookie.Path = "/"
 	cookie.Domain = formatCookieDomain(ctx, s.config.DisableSubdomainPersistence)
 	cookie.HttpOnly = true
+	if !s.config.DisableSubdomainPersistence {
+		cookie.SameSite = http.SameSiteLaxMode // allow subdomain sharing.
+	}
+
 	// MaxAge=0 means no 'Max-Age' attribute specified.
 	// MaxAge<0 means delete cookie now, equivalently 'Max-Age: 0'
 	// MaxAge>0 means Max-Age attribute present and given in seconds