Allow the SameSite attribute to set none to ease development

[jezsung]

The beginAuth function sets the SameSite cookie attribute to lax to block third-party site accesses but this makes development harder as the typical workflow would be hosting the frontend and backend on different hosts. It's even harder as we also need to host both frontend and backend on the same domain with HTTPS enabled.

Why not gives us an option to set this attribute so that we can set it none for development and lax for production?