Hey Basil - Increasing logging verbosity turned out to be the key here - And my apologies! As you suspected, this was on my end.
Turns out that our Swarm workers reach the Jenkins master through a minimal and very poorly built proxy served from localhost (this was implemented well before my time working on our stack, and I only discovered the existence of the proxy yesterday). The only purpose of the proxy is to append an "X-Forwarded-User: worker_node" header to identify itself to the Jenkins master; this header is typically appended to human-users' requests by our OAuth2 reverse-proxy, but Swarm agents access the master directly.
Turns out that the Jenkins master sends JSESSIONID cookies with the Secure attribute, which (correctly) forces the Swarm client to omit the cookie from http://localhost-bound requests. That solves that mystery.
If I could poke you with one more question, I am now left with the issue of, "How to move forward" - I would still like to remove that EXCLUDE_SESSION_ID override from our configuration, after all. Is there an easier way for me to inject an X-Forwarded-User header into Swarm-issued requests? If not, would you entertain adding a command-line option (--include-header or something?) to support such a use case (or maybe something to that effect already exists within the underlying Apache machinery)? Or perhaps we're going about this wrong, and you would recommend a different setup configuration altogether.
Thanks again for your time, and thanks in advance for any guidance you could give on best practices here!