Awesome tips : ) we can also use ramdajs for some cases as well.

And also can try approaching this problem by testing via postman or insomnia?

Is it possible to share your code via github (or any other version control)?

Yes, you can use session cookies cross-origin. but be careful because it can lead to vulnerability issues as well. For example - your back-end is hosted on api.back-end.com and you want to provide session to your front-end project which is hosted on app.front-end.com . so on back-end you need to provide response headers Access-Control-Allow-Origin: app.front-end.com Set-Cookie:'SESSIONID=yourSessionId; HttpOnly so that it will only send session cookies to this front-end app. if you provide Access-Control-Allow-Origin: * which will provide session to all apps (which is not preferable because some other website can request your back-end and access session ids to play with your back-end). To make it more secure you can add credentials: include inside your request header with fetch in the front-end app. this would block Javascript to access browser cookies via Javascript broswer apis.