Hi there! Hugely appreciate the screenshots, really helps clear up uncertainty 
The short answer is hardcoding the cookie’s secure field to be true + using the workaround described here (bottom) should make the connection work
The longer explanation is
- having cookies work from one site to another requires
sameSite: none(which I see has already been set) -
sameSite: nonerequiressecure: true(which I see is currently dependent on the environment) - there’s an open issue on express-session where it doesn’t send the set-header header when encountering a request made to a server running with “secure: true” running on a non-https endpoint even for localhost
- setting
trust proxytotrueon the server, and sendingx-forwarded-prototohttpsas the header will trick it into setting the cookie
There’s a different workaround suggested by express-session’s maintainer to overwrite the value of req.secure using object.defineProperty on your server, should also work
Hope that helps!