in the end i fixed it by exposing headers, managing them manually on the client and not using Ktor Sessions, instead rolling my own solution where the websocket can send the sessionId as first message and i can verify manually
From a thread in #javascript