After reading this post, I realized that the solution was pretty simple. I needed to set credentials: 'include' in the login request in order for the cookie to actually be saved in the browser. Cookies seem to not be saved automatically when the Set-cookie header is present unless the fetch requests "asks" for them.