Cookies are bad. We should replace them. Perhaps with HTTP State Tokens (https://mikewest.github.io/http-state-tokens/draft-west-http-state-tokens.html)?