Apparently xhr put (and patch) requests from browsers to remote servers ignore the response's Set-Cookie header. I don't know why browsers do this shit, but it's annoying as hell.
Remote Address:127.0.0.1:4000
Request URL:http://localhost:4000/api/sessions
Request Method:POST
Status Code:201 Created
Response Headers
view source
access-control-allow-credentials:true
access-control-allow-origin:http://localhost:4200
access-control-expose-headers:_apiv4_key
content-length:803
content-type:application/json; charset=utf-8
date:Wed, 13 Jan 2016 18:41:27 GMT
server:Cowboy
set-cookie:_apiv4_key=...
is okay, but change the method to put
Request Method:POST
Then all of a sudden the browsers don't bother to update the cookie for further upcoming xhr requests.
Be aware of this when building sessions, as you must no implement all updates to session via the post method.