Perhaps you have to add "Cookie" to the allowed headers, so the session is recognized for authentication? I will try to set this up locally to test as well.