Res.cookie not working with electron


I am having trouble setting cookies from my Express server on my Electron app.

Here is the login event listener on my login page:

loginButton.addEventListener('click', () => {
  const email = document.getElementById('email').value;
  const password = document.getElementById('password').value;
  auth.signInWithEmailAndPassword(email, password)
    .then((data) => {
      console.log('user data is', data);
      return data.user.getIdToken();
    .then((idToken) => {
      return + '/sessionLogin', {idToken});
    .then(() => {
      axios.get(serverURL + '/test', {withCredentials: true});
    .catch((err) => {
      console.log('err trying to get id token', err);
      // alert('Error logging in - are you sure you have the right email and password?');
      document.getElementById('email').value = '';
      document.getElementById('password').value = '';

The sessionLogin endpoint on my server is:

const cookieParser = require('cookie-parser');

app.use(cookieParser());'/sessionLogin', (req, res) => {
      const idToken = req.body.idToken.toString();
      console.log('id token is', idToken)
      const expiresIn = 60 * 60 * 24 * 5 * 1000;
      admin.auth().createSessionCookie(idToken, {expiresIn})
        .then((sessionCookie) => {
          const options = {maxAge: expiresIn, httpOnly: true, secure: true};
          res.cookie('session', sessionCookie, options);
          res.end(JSON.stringify({status: 'success'}));
        .catch((err) => {
          res.status(401).send('UNAUTHORIZED REQUEST!');

The above is mostly Firebase’s suggested code. When res.cookie is called, I thought it’s supposed to create a cookie in the client browser. But when I make a call immediately to this test endpoint, the server doesn’t see any cookies.

app.get('/test', (req, res) => {
  console.log('req.cookies are', req.cookies) //req.cookies are {}

I am using cookie parser. Is this something that works differently with Electron? I know you can set cookies manually with Electron, but that doesn’t seem to help much if the point of the cookie is to ensure that only logged-in users can access restricted endpoints.