SInce Go 1.11, the Cookie struct has SameSite attribute in it to prevent CSRF attacks. I think loginsrv need to provide -cookie-samesite option.
-cookie-samesite