This is where I install the Sessions:

install(Sessions) {
        cookie<UserSession>("SESSION")
    }

And the login page

post {
                    // fail on logged in
                    AuthorisationHandler.failOn(call, AuthorisationHandler.AuthorisationType.LOGGED_IN)

                    val postData = call.receive<ValuesMap>()

                    // handle login
                    val filledForm = Form.LOGIN.parseFormData(postData)
                    val user = User.handleLogin(filledForm[FormItem.USERNAME]!!, filledForm[FormItem.PASSWORD]!!)

                    // new session
                    call.sessions.set("SESSION", user.newSession().getUserSession())

                    call.respondRedirect("/")
                }

Note that the sessions work in every other route. The cookies (which contains session info) are not sent on the request to /api/upload for some reason.