can I maintain an auth session cookie over all https.requests?