As the cookie work out-of-the-box in the browser, we can use it for rest request also almost out-of-the-box (use 'withCredentials: true' headerOption in a request, do not forget to enable 'supportsCredentials: true' in services.yml alongside other CORS config).
Drupal 8 REST come with basic_auth and cookie. So let login and get cookie data. I had no success to send "Set-cookie" header with the custom login request - https://drupal.stackexchange.com/questions/269194/how-to-add-set-cookie-....
But had succeeded to retrieve the sess_name and sess_id which are necessary to create a cookie for authentication. So here is the custom login:
(Note that this is a rest resource - you need to enable it with json and basic_auth, then set permissions for anonymous to use it.)
One thing missing from default rest login is csrf_token. But once we can make an authenticated request (with a cookie) we can obtain him from /rest/session/token.