Prior to sometime in early September, everything worked fine. However, sometime around September 6, in our test environment (which forces, SSL, but does not have an actual SSL certificate) cookies would no longer save to the browser, but only in Google Chrome. (I didn't test in many other browsers, but the cookies did get set set correctly in Internet Explorer 11). The cookies also were correctly when running for my local server (which does not enforce SSL) and in production (which does force SSL, but has an actual certificate).

Accordingly, my guess is that Google Chrome no longer accepts cookies from insecure sites. However, I'm having trouble finding this kind of documentation. It is not the end of the world doesn't solve, but it doesn't using convenient if we have to login every time you refresh the page or go to a new page.

Does anyone know what the problem is, and perhaps a workaround or solution?

I have the same problem on a testing server and cannot find any official information as for when this policy was introduced. Everything still works in Firefox.

Work-around that seems to work at the time of writing is to treat requests as they were CORS (enable CORS on the backend and then do requests from client with withCredentials header on frontend), even if the requests are comming from same domain.

I just ran into this same problem. Solution: use ".test" as your TLD. ".test" seems to be a recognised, reserved TLD for this purpose. Some testing I did just now indicates that Chrome 69 relaxes with .test domains.