hmm... cookie: {secure: true} is the problem. but why?