Looks like you’re using CORS.
I’m not certain this is necessary, but I believe you need to specify the Access-Control-Expose-Headers header to include Set-Cookie, which is not one of the defaults. Same with the Access-Control-Allow-Headers header and Cookie.
