We have a mashup in AngularJs with the capability API, and are using Ticket authentication, fetched using an Xrfkey and the qps API routes. Once we have a Ticket, we load a static file from the QlikSense server, specifically require.js (and lately Qlik_default_leaf.png) with the qlikticket appended as a query parameter: ?qlikTicket=<foo>

The response from loading these static files contains a Set-Cookie header, which sets the X-Qlik-Session cookie. However, calling "openApp" in the qlik/js client AFTER that cookie is set, still returns Access Denied. For some users, this happens 50% of the time, while for others it is 99%, and for others even it is 1%. 

The AccessDenied is contained in the Websocket connection that opens our app, specifically: 

https://<host>/app/<appId>/identity/<our Xrf Key>?reloadUri=<MashUp-Url>

This socket connection initially receives "anonymous<GUID>" userId and userDirectory of NONE, followed by a loginUri that we aren't using (for Internal Windows Authentication). 

We have tried a variety of fiddling, but are not sure why the session is sometimes anonymous, despite the existence of a Qlik Session cookie, generated with the Ticket provided by the /qps/ticket/ API, which was supplied a JSON body of the UserId and UserDirectory.