I am trying to use cookie-session in express / nodejs, my setup works on PCs, but not on mobile:

• on Android/Firefox, I can setup the session cookie, but I cannot modify it once set, I can't event erase it by setting req.session=null. Android/chrome is fine.
• on iOS (Safari, chrome, firefox), the cookie doesn't seem to ever be set (iOS 15.3).

The setup is as follows:

• my website is hosted at "mywebsite.com" (names modified for this forum)
• my API setting/using the cookie is at another URL "mywebsite.io" (different extension)

cookie-session options are:

name: 'session',
keys: ['my secret'],
sameSite: 'none',
secure: true,
httpOnly: true,
signed: true,
overwrite: true,

Both website and API implement https. The API is behind a nginx proxy. Express includes this:

app.set('trust proxy', 1); // trust first proxy

to make sure the secure option works behind the proxy.

The web client is created in React, I run API calls using superagent with the .withCredentials() option.

I have tried:

• setting the maxAge option
• setting the domain option to 'mywebsite.io' or 'mywebsite.com'
• setting the 'path' option to '/'
• using the should-send-same-site-none module

Whatever I do, the iOS cookie is always empty (req.session = undefined on subsequent calls), and the Android/Firefox combo wont't let me update it.