I'm using both a front-end and a back-end application on a different domain with a session-based authorization. I have setup a working CORS configuration, which works as expected on
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Date: Wed, 20 Sep 2017 11:57:07 GMT
Set-Cookie: CSRF-TOKEN=[some-token]; Path=/
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=15768000; includeSubDomains
POST /api/authentication HTTP/1.1
Accept: application/json, text/plain, */*
Accept-Encoding: gzip, deflate, br
Cookie: [some-other-cookies]; CSRF-TOKEN=[same-token-as-in-the-previous-request]
In short, it is not possible to access cross-origin cookies,
document.cookie can only access the current (or parent) domain cookies.
The hint for that being the root cause, was ssc-hrep3 mentioning "both domains" in his question.
See ssc-hrep3's answer for more information and a workaround.