Redis and ioredis clusters: session stores, sticky sessions, and CORS with credentialed cookies

When a primary fails over, browsers may retry with the same cookies—ensure Allow-Credentials stays true on the new master.

Monitor CLUSTER SLOTS changes during incidents for unexpected routing.

Eviction of session keys can surface as auth errors that resemble CORS failures in SPAs.

Separate cache namespaces for anonymous versus authenticated users.