For anyone else who is having this issue, take a look at this:
app.use(session({
secret: 'something',
cookie: {
secure: true
}}));
If you have cookie.secure set to true and you’re NOT using SSL (i.e. https protocol) then the cookie with the session id is not returned to the browser and everything fails silently. Removing this flag resolved the problem for me – it took hours to realise this!