You're advocating for cookie-based authentication using sessions (an increasingly dated practice), but do not mention anywhere adding real csrf protection:
From OWASP regarding your SameSite=strict suggestion
Considering the factors above, it is not recommended to be used as a primary defense. Google agrees with this stance and strongly encourages developers to deploy server-side defenses such as tokens to mitigate CSRF more fully.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.