Make a request with a session-scoped HTTP-only no-expiration domain cookie, response comes back without it, but the cookie goes missing. Hook all kinds of bits into the page response to figure out where the cookie is lost. No joy. Finally look at all the requests made by the page. Ta da. There's a (bad) request for a cross-subdomain image, starting from test.domain.com, but requesting an image from www․domain.com. Not a problem, per se, it's a domain-scoped cookie, but the cookie's existence depends on a prior authentication, which the other (www) site doesn't have, so it cleared the cookie in its response. Let's hope I can figure that out quicker next time.