Apparently express-session generates cookie headers that are string arrays, and these are not joined but passed along as JSON array elements, which leads to invalid JSON.

const session = require('express-session');
app.use(session({ secret: 'this-is-a-secret-token', cookie: { maxAge: 60000 }}));

Fixed in 1.8.5