For session, sent cookie same site based on the value of apiDomain and websiteDomain

[rishabhpoddar]

• If the values are different (no common top level domain), then set cookieSameSite to none by default, else set it to lax.
• If setting it to none, also set anti-csrf to true somehow.
• Set cookieSecure to true by default if the apiDomain has https

[rishabhpoddar]

• If the websiteDomain and the apiDomain are localhost, even if the ports are different, lax is allowed.
• Do some research on what sameSite lax is allowed.
• If based on the websiteDomain and apiDomain, sameSite is none, then the cookieSecure flag must be resulting in true. Note that the cookieSecure's value is only based on if https or http is present in the apiDomain. If it's false in this case, then thrown an error: "Since your API and website domain are different, for sessions to work, please use https on your apiDomain".