In my particular case, this seems to have been caused by one or all of:
Missing the following request header in Apache:
<VirtualHost *:80>
RequestHeader set X-Forwarded-Proto "http"
…
</VirtualHost>
I added the above apache directive and restarted apache..
2.Having the cookieDomain set in the admin panel
If you cannot log into your forum, the only way to do remove this cookieDomain value is to manually run a DB query to remove it. In my case this was Mongo and I used a GUI client to remove the value.
A raw query would look something like this:
db.objects.update({_key: "config"}, {$set: {cookieDomain: ""}});
More info here - https://community.nodebb.org/topic/9196/invalid-session?_=1470286431609&page=1