I'm not an Express.js user, but according to expressjs.com/en/changelog/4x.html you can set sameSite: 'lax' instead of true/false.
When SameSite is "Strict" then cookies are only sent on requests that come from the same origin, which means they are not sent when following links or redirects. With "lax" then they are also sent on those cases. It's a bit less secure, but as you can see the strict mode tends to break things.
Update the post accordingly. Thanks for the pointer.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.