Consider adding note in readme that session same-site strict will cause users to log out from redirects from other sites

[Naomarik]

Didn't take me too long to find once I put time in it, but have had an enormous amount of complaints on my site that users are not staying logged in. A lot of my users come from Instagram links. When they click on the link they are logged out. Any subsequent login (via ajax) on the same browser tab and refresh will keep logging the user out.

https://github.com/ring-clojure/ring-defaults/blob/master/src/ring/middleware/defaults.clj#L45

Also do you think it may be better to put that :strict in secure-site-defaults instead of site-defaults? I feel same-site :lax would be a more sane default.