Django HTTP response always sets `sessionid` cookie and session data do not persist
I have created a custom backend and related middleware which log users in on the sole condition that an ID_TOKEN cookie is passed along with the request (authentication is done by AWS Cognito + Lambda Edge, managed by an AWS CouldFront).
My code is extensively based on django.contrib.auth.backends.RemoteUserBackend and its related middleware middleware django.contrib.auth.middleware.RemoteUserMiddleware.
While dealing with custom session data is working fine both locally and in a Docker container using runserver + unit tests do pass, I lose all session data in production (code running in a container on AWS ECS) from one request/response to another.
From what I can see in my Firefox network tab, a set-cookie header is always sent with the HTTP response, causing session data to be lost. I guess they must be flushed as well on the back-end side (sessions use database store, production is running on gunicorn).
I have set SESSION_COOKIE_SECURE = True in production but it did not solve the issue.
Moreover, using django_extensions and its runserver_plus with an auto-generated certificate to use HTTPS locally as well did not allow me to reproduce the issue.
Here is one set-cookie example:
set-cookie sessionid=rlc...tn; expires=Mon, 03 Feb 2025 14:29:53 GMT; HttpOnly; Max-Age=1209600; Path=/; SameSite=Lax; Secure
Has anyone dealt with such problem before?