Two things.
1. cookieParser is commented because in the present state it's not a middleware, just a function that returns one (I think, didn't check it).
If you used `app.use(cookieParser());` instead, I believe you would get your cookie.
2. Auth - you have the app.use(session()); in there. This is why your auth works. Basically, session will read it's own cookie, even if you don't parse it for other stuff, like reading data in your request (you shouldn't, anyway).
On a side note, you might want to consider removing cookies completely - just return an auth-token on login response instead of session and cookies. Then the client only has the token and you don't manage client state. There is even passport stuff for this.