New features / behavior changes:
- Session, PoorSession, AESSession: same_site argument is now validated
- Accepted values: 'Strict', 'Lax', 'None', or False
- ValueError is raised for any other value
- ValueError is raised when same_site='None' and secure=False (browsers reject this combination)
- Type annotation corrected: Union[str, bool] → Union[str, Literal[False]]
Bug fixes:
- Session.destroy() with max_age: Max-Age=-1 was being overwritten by the subsequent write() call; a new _destroyed flag now prevents this