Set the XSRF-Token cookie to SameSite=lax

Set the XSRF-Token cookie to SameSite=lax

As it turns out, `strict` is too strict for some use cases of the average user,
as it might suppress the cookie when the user researches something while
writing a post and ultimately comes back to the community via an external link.

This request will not have the XSRF-Token cookie attached due to violating the
`strict` policy, resulting in WoltLab Suite sending a fresh cookie in response.
This will then invalidate the token stored in the form where the user is in the
process of writing their post, ultimately resulting in an error message.

The `SameSite` value is meant as a defense in depth measure to protect the user
even if they current token leaked in some way. Reducing the strictness does not
reduce the security in a measurable way.