Minor improvement suggestion: Right now the response is something like "the cookie is in the response header". We could just return the cookie string instead (in addition to the header).