Quick note about the new fetch() API

If you're running into a problem where the server is properly returning a Set-Cookie header, but subsequent requests from your browser aren't sending them (either via the fetch() API or through normal requests), I have the answer!

Your call to fetch() must have the following configuration option: credentials: 'same-origin' The documentation states that this option is required for the fetch() API to send cookies, but it is also required for the browser to accept cookies returned from the server. Lesson learned the hard way.