If your application is running behind a reverse proxy (e.g., Nginx or Heroku), the Express application may interpret incoming HTTPS requests as HTTP. In this case, secure: true will prevent the session cookies from being sent.

app.set('trust proxy', 1);