Http-request, cookies for different domains in one flow

After a few days, dozens of attempts and checking all forum/google results I could find I decided to ask here for some help.

I try to get some data from a page (, employee benefit prepaid cards). There are a few steps to get to final JSON I would like to grab.

  1. login form on (with CSRF token)
  2. it sets cookie PHPSESSID for domain
  3. now the fun begins - clicking on card lists we get call to which redirects us to - notice subdomain
  4. redirects us to /api/oauth/token AND sets the cookie PHPSESSID for domain (it has different value from the one from point 2.)
  5. redirects us to
  6. above redirects us to<some-token>&redirect=%2F%23%2Fcards
  7. above redirects us to /api/oauth/start
  8. above redirects us to /#/cards
  9. finally sets cookie XSRF-TOKEN

From now on there are several requests that return JSONs, like:
10. (with cookie PHPSESSID from point 4. and XSRF-TOKEN from point 9. - also, X-XSRF-TOKEN header is set with the same value)
11. - similar data as in 1. - this JSON is the one I'm interested in

Now, after this quite long and boring introduction lets move to Node-RED. I have a set of http-request nodes trying to follow above path. First one for point 1. for login, I get proper cookie but then I'm not sure how the cookies are handled for different domains. Should I store PHPSESSID aside and replace msg.cookies every time I call different domain? Points 3. to 8. are done in one http-request, I get 5 elements array in redirectList, but those cookies are not preserved. I've tried to manually extract them like msg.cookies['PHPSESSID'] = msg.redirectList[1].cookies['PHPSESSID']; but that didn't work and looks like ugly hack rather than proper approach.

Calling those final endpoints from point 10. and 11. that should returns JSON fails and I get error Login required so I assume it does not get proper cookie (I tried to send both PHPSESSID, no luck).

My flow is quite messy right now and has lots of debug code so I'm not posting it. It's also pointless without credentials so..

Anyway, long story short. Some hints on handling different subdomains with different cookies (with the same name) would be much appreciated.