Set isSameSite to false and add code to support Hapi 13.5+

[ldesplat]

Resolves #264 in a non-breaking manner.

Had to turn off code coverage for the Hapi 13 support, due to multiple reasons:

1. Don't want to run code coverage using hapi 13
2. Hapi 14 and up, don't error on server.state with cookie passwords less than 32 characters like Hapi 13 did so I don't know how to force an error here either.
3. The way Hapi is implemented makes it hard to stub out the server.state method to force those scenarios.

Plan is to remove this code in next breaking release and stop support for Hapi 13 at that time.

[ldesplat]

Believe it or not, thanks to some great work from others, Strict did work with every browser except Chrome. It would fail the first time, but then we initiate a redirect to ourselves (only once) and all the browsers would properly send the Strict cookie :) except Chrome in my tests

[AdriVanHoudt]

So it would fail on every browser but then you do a redirect to yourself and it works? I assume this is because then you become the initiator and then it is ok to send the strict cookie along since it is now the same domain. But Chrome did not do this?

[ldesplat]

Correct. Chrome just refused to send the cookie when we became the initiator for Strict.
For Lax it should just work from the beginning and it did with all browsers but Chrome again! Could not work on my machine.

[AdriVanHoudt]

I just tried to put it to Lax and it does seem to work on Chrome Version 53.0.2785.116 (64-bit) on macOS,
changing this would be at least a minor (if not major) since this can have some implications. Could you test again maybe it was a issue in your version of chrome?

[lock]

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.