We now send a cookie if any of these conditions are met:
(a) a cookie was used for authentication
(b) a cookie was sent but not used for authentication, and the credentials
used for authentication were the same as those in the cookie
(c) the user asked to have a cookie sent and is not a guest user.
Now whenever we're not sending a "real" cookie, we send a cookie
with no user or key data that expires "one day ago".