Login in PRODUCTION not working unless I remove sess.cookie.secure = true;

I am deploying Node.js app on Heroku, and I can go to login screen, but after callback, it does not login.

Somehow, I can replicate it by setting NODE_ENV=production…

So, I comment out

    if (app.get("env") === "production") {
        // sess.cookie.secure = true; // serve secure cookies, requires https
    }

It now works, but it fear it might be insecure…

The code is here. https://github.com/patarapolw/zhlevel-ts/blob/2eefd0f705bbaea262fc0cc9ae2965afebcbc2aa/src/server.ts#L49

Is your Heroku app configured to use HTTPS?
That line will issue a SECURE cookie which will only be sent back over HTTPs. It seems like you app may not be using HTTPs…