diff --git a/keyserver/src/responders/handlers.js b/keyserver/src/responders/handlers.js
index 2ecc83081..929c9bbaf 100644
--- a/keyserver/src/responders/handlers.js
+++ b/keyserver/src/responders/handlers.js
@@ -1,290 +1,246 @@
 // @flow
 
 import type { $Response, $Request } from 'express';
 import type { TType } from 'tcomb';
 
 import { ServerError } from 'lib/utils/errors.js';
 import {
   assertWithValidator,
   tPlatformDetails,
 } from 'lib/utils/validation-utils.js';
 
 import { getMessageForException } from './utils.js';
 import { deleteCookie } from '../deleters/cookie-deleters.js';
 import type { PolicyType } from '../lib/facts/policies.js';
 import {
   fetchViewerForJSONRequest,
   addCookieToJSONResponse,
-  fetchViewerForHomeRequest,
   addCookieToHomeResponse,
   createNewAnonymousCookie,
   setCookiePlatformDetails,
 } from '../session/cookies.js';
 import type { Viewer } from '../session/viewer.js';
-import {
-  type AppURLFacts,
-  getAppURLFactsFromRequestURL,
-} from '../utils/urls.js';
+import { getAppURLFactsFromRequestURL } from '../utils/urls.js';
 import {
   policiesValidator,
   validateInput,
   validateOutput,
 } from '../utils/validation-utils.js';
 
 type InnerJSONResponder = {
   responder: (viewer: Viewer, input: any) => Promise<*>,
   requiredPolicies: $ReadOnlyArray<PolicyType>,
 };
 
 export opaque type JSONResponder: InnerJSONResponder = InnerJSONResponder;
 
 function createJSONResponder<I, O>(
   responder: (Viewer, input: I) => Promise<O>,
   inputValidator: TType<I>,
   outputValidator: TType<O>,
   requiredPolicies: $ReadOnlyArray<PolicyType>,
 ): JSONResponder {
   return {
     responder: async (viewer, input) => {
       const request = await validateInput(viewer, inputValidator, input);
       const result = await responder(viewer, request);
       return validateOutput(viewer.platformDetails, outputValidator, result);
     },
     requiredPolicies,
   };
 }
 
 export type DownloadResponder = (
   viewer: Viewer,
   req: $Request,
   res: $Response,
 ) => Promise<void>;
-export type HTMLResponder = DownloadResponder;
 export type HTTPGetResponder = DownloadResponder;
+export type HTMLResponder = (req: $Request, res: $Response) => Promise<void>;
 
 function jsonHandler(
   responder: JSONResponder,
   expectCookieInvalidation: boolean,
 ): (req: $Request, res: $Response) => Promise<void> {
   return async (req: $Request, res: $Response) => {
     let viewer;
     try {
       if (!req.body || typeof req.body !== 'object') {
         throw new ServerError('invalid_parameters');
       }
       const { input, platformDetails } = req.body;
       viewer = await fetchViewerForJSONRequest(req);
 
       const promises = [policiesValidator(viewer, responder.requiredPolicies)];
 
       if (platformDetails) {
         if (!tPlatformDetails.is(platformDetails)) {
           throw new ServerError('invalid_platform_details');
         }
         promises.push(
           setCookiePlatformDetails(
             viewer,
             assertWithValidator(platformDetails, tPlatformDetails),
           ),
         );
       }
 
       await Promise.all(promises);
 
       const responderResult = await responder.responder(viewer, input);
       if (res.headersSent) {
         return;
       }
       const result = { ...responderResult };
-      addCookieToJSONResponse(
-        viewer,
-        res,
-        result,
-        expectCookieInvalidation,
-        getAppURLFactsFromRequestURL(req.originalUrl),
-      );
+      addCookieToJSONResponse(viewer, res, result, expectCookieInvalidation);
       res.json({ success: true, ...result });
     } catch (e) {
-      await handleException(
-        e,
-        res,
-        getAppURLFactsFromRequestURL(req.originalUrl),
-        viewer,
-        expectCookieInvalidation,
-      );
+      await handleException(e, res, viewer, expectCookieInvalidation);
     }
   };
 }
 
 function httpGetHandler(
   responder: HTTPGetResponder,
 ): (req: $Request, res: $Response) => Promise<void> {
   return async (req: $Request, res: $Response) => {
     let viewer;
     try {
       viewer = await fetchViewerForJSONRequest(req);
       await responder(viewer, req, res);
     } catch (e) {
-      await handleException(
-        e,
-        res,
-        getAppURLFactsFromRequestURL(req.originalUrl),
-        viewer,
-      );
+      await handleException(e, res, viewer);
     }
   };
 }
 
 function downloadHandler(
   responder: DownloadResponder,
 ): (req: $Request, res: $Response) => Promise<void> {
   return async (req: $Request, res: $Response) => {
     try {
       const viewer = await fetchViewerForJSONRequest(req);
       await responder(viewer, req, res);
     } catch (e) {
       // Passing viewer in only makes sense if we want to handle failures as
       // JSON. We don't, and presume all download handlers avoid ServerError.
-      await handleException(
-        e,
-        res,
-        getAppURLFactsFromRequestURL(req.originalUrl),
-      );
+      await handleException(e, res);
     }
   };
 }
 
 async function handleException(
   error: Error,
   res: $Response,
-  appURLFacts: AppURLFacts,
   viewer?: ?Viewer,
   expectCookieInvalidation?: boolean,
 ) {
   console.warn(error);
   if (res.headersSent) {
     return;
   }
   if (!(error instanceof ServerError)) {
     res.status(500).send(getMessageForException(error));
     return;
   }
   const result: Object = error.payload
     ? { error: error.message, payload: error.payload }
     : { error: error.message };
   if (viewer) {
     if (error.message === 'client_version_unsupported' && viewer.loggedIn) {
       // If the client version is unsupported, log the user out
       const { platformDetails } = error;
       const [data] = await Promise.all([
         createNewAnonymousCookie({
           platformDetails,
           deviceToken: viewer.deviceToken,
         }),
         deleteCookie(viewer.cookieID),
       ]);
       viewer.setNewCookie(data);
       viewer.cookieInvalidated = true;
     }
     // This can mutate the result object
-    addCookieToJSONResponse(
-      viewer,
-      res,
-      result,
-      !!expectCookieInvalidation,
-      appURLFacts,
-    );
+    addCookieToJSONResponse(viewer, res, result, !!expectCookieInvalidation);
   }
   res.json(result);
 }
 
 function htmlHandler(
   responder: HTMLResponder,
 ): (req: $Request, res: $Response) => Promise<void> {
   return async (req: $Request, res: $Response) => {
     try {
-      const viewer = await fetchViewerForHomeRequest(req);
       addCookieToHomeResponse(
-        viewer,
+        req,
         res,
         getAppURLFactsFromRequestURL(req.originalUrl),
       );
       res.type('html');
-      await responder(viewer, req, res);
+      await responder(req, res);
     } catch (e) {
       console.warn(e);
       if (!res.headersSent) {
         res.status(500).send(getMessageForException(e));
       }
     }
   };
 }
 
 type MulterFile = {
   fieldname: string,
   originalname: string,
   encoding: string,
   mimetype: string,
   buffer: Buffer,
   size: number,
 };
 export type MulterRequest = $Request & {
   files?: $ReadOnlyArray<MulterFile>,
   ...
 };
 type UploadResponder = (viewer: Viewer, req: MulterRequest) => Promise<Object>;
 
 function uploadHandler(
   responder: UploadResponder,
 ): (req: $Request, res: $Response) => Promise<void> {
   return async (req: $Request, res: $Response) => {
     let viewer;
     try {
       if (!req.body || typeof req.body !== 'object') {
         throw new ServerError('invalid_parameters');
       }
       viewer = await fetchViewerForJSONRequest(req);
       const responderResult = await responder(
         viewer,
         ((req: any): MulterRequest),
       );
       if (res.headersSent) {
         return;
       }
       const result = { ...responderResult };
-      addCookieToJSONResponse(
-        viewer,
-        res,
-        result,
-        false,
-        getAppURLFactsFromRequestURL(req.originalUrl),
-      );
+      addCookieToJSONResponse(viewer, res, result, false);
       res.json({ success: true, ...result });
     } catch (e) {
-      await handleException(
-        e,
-        res,
-        getAppURLFactsFromRequestURL(req.originalUrl),
-        viewer,
-      );
+      await handleException(e, res, viewer);
     }
   };
 }
 
 async function handleAsyncPromise(promise: Promise<any>) {
   try {
     await promise;
   } catch (error) {
     console.warn(error);
   }
 }
 
 export {
   createJSONResponder,
   jsonHandler,
   httpGetHandler,
   downloadHandler,
   htmlHandler,
   uploadHandler,
   handleAsyncPromise,
 };
diff --git a/keyserver/src/responders/website-responders.js b/keyserver/src/responders/website-responders.js
index ab556e88e..eb528b82e 100644
--- a/keyserver/src/responders/website-responders.js
+++ b/keyserver/src/responders/website-responders.js
@@ -1,386 +1,381 @@
 // @flow
 
 import html from 'common-tags/lib/html/index.js';
 import { detect as detectBrowser } from 'detect-browser';
 import type { $Response, $Request } from 'express';
 import fs from 'fs';
 import * as React from 'react';
 // eslint-disable-next-line import/extensions
 import ReactDOMServer from 'react-dom/server';
 import { promisify } from 'util';
 
 import { inviteLinkURL } from 'lib/facts/links.js';
 import stores from 'lib/facts/stores.js';
 import getTitle from 'web/title/getTitle.js';
 
-import { Viewer } from '../session/viewer.js';
 import { waitForStream } from '../utils/json-stream.js';
 import {
   getAppURLFactsFromRequestURL,
   getCommAppURLFacts,
 } from '../utils/urls.js';
 
 const { renderToNodeStream } = ReactDOMServer;
 
 const access = promisify(fs.access);
 const readFile = promisify(fs.readFile);
 
 const googleFontsURL =
   'https://fonts.googleapis.com/css2?family=IBM+Plex+Sans:wght@400;500;600&family=Inter:wght@400;500;600&display=swap';
 const localFontsURL = 'fonts/local-fonts.css';
 async function getFontsURL() {
   try {
     await access(localFontsURL);
     return localFontsURL;
   } catch {
     return googleFontsURL;
   }
 }
 
 type AssetInfo = {
   +jsURL: string,
   +fontsURL: string,
   +cssInclude: string,
   +olmFilename: string,
   +commQueryExecutorFilename: string,
   +opaqueURL: string,
 };
 let assetInfo: ?AssetInfo = null;
 async function getAssetInfo() {
   if (assetInfo) {
     return assetInfo;
   }
   if (process.env.NODE_ENV === 'development') {
     const fontsURL = await getFontsURL();
     assetInfo = {
       jsURL: 'http://localhost:8080/dev.build.js',
       fontsURL,
       cssInclude: '',
       olmFilename: '',
       commQueryExecutorFilename: '',
       opaqueURL: 'http://localhost:8080/opaque-ke.wasm',
     };
     return assetInfo;
   }
   try {
     const manifestString = await readFile('../web/dist/manifest.json', 'utf8');
     const manifest = JSON.parse(manifestString);
     const webworkersManifestString = await readFile(
       '../web/dist/webworkers/manifest.json',
       'utf8',
     );
     const webworkersManifest = JSON.parse(webworkersManifestString);
     assetInfo = {
       jsURL: `compiled/${manifest['browser.js']}`,
       fontsURL: googleFontsURL,
       cssInclude: html`
         <link
           rel="stylesheet"
           type="text/css"
           href="compiled/${manifest['browser.css']}"
         />
       `,
       olmFilename: manifest['olm.wasm'],
       commQueryExecutorFilename: webworkersManifest['comm_query_executor.wasm'],
       opaqueURL: `compiled/${manifest['comm_opaque2_wasm_bg.wasm']}`,
     };
     return assetInfo;
   } catch {
     throw new Error(
       'Could not load manifest.json for web build. ' +
         'Did you forget to run `yarn dev` in the web folder?',
     );
   }
 }
 
 let webpackCompiledRootComponent: ?React.ComponentType<{}> = null;
 async function getWebpackCompiledRootComponentForSSR() {
   if (webpackCompiledRootComponent) {
     return webpackCompiledRootComponent;
   }
   try {
     // $FlowFixMe web/dist doesn't always exist
     const webpackBuild = await import('web/dist/app.build.cjs');
     webpackCompiledRootComponent = webpackBuild.app.default;
     return webpackCompiledRootComponent;
   } catch {
     throw new Error(
       'Could not load app.build.cjs. ' +
         'Did you forget to run `yarn dev` in the web folder?',
     );
   }
 }
 
-async function websiteResponder(
-  viewer: Viewer,
-  req: $Request,
-  res: $Response,
-): Promise<void> {
+async function websiteResponder(req: $Request, res: $Response): Promise<void> {
   const { basePath } = getAppURLFactsFromRequestURL(req.originalUrl);
   const baseURL = basePath.replace(/\/$/, '');
 
   const loadingPromise = getWebpackCompiledRootComponentForSSR();
 
   const assetInfoPromise = getAssetInfo();
   const {
     jsURL,
     fontsURL,
     cssInclude,
     olmFilename,
     opaqueURL,
     commQueryExecutorFilename,
   } = await assetInfoPromise;
 
   // prettier-ignore
   res.write(html`
     <!DOCTYPE html>
     <html lang="en">
       <head>
         <meta charset="utf-8" />
         <title>${getTitle(0)}</title>
         <base href="${basePath}" />
         <link rel="stylesheet" type="text/css" href="${fontsURL}" />
         ${cssInclude}
         <link
           rel="apple-touch-icon"
           sizes="180x180"
           href="apple-touch-icon.png"
         />
         <link
           rel="icon"
           type="image/png"
           sizes="32x32"
           href="favicon-32x32.png"
         />
         <link
           rel="icon"
           type="image/png"
           sizes="16x16"
           href="favicon-16x16.png"
         />
         <link rel="manifest" href="site.webmanifest" />
         <meta name="apple-mobile-web-app-title" content="Comm" />
         <meta name="application-name" content="Comm" />
         <meta name="msapplication-TileColor" content="#b91d47" />
         <meta name="theme-color" content="#b91d47" />
       </head>
       <body>
         <div id="react-root">
   `);
 
   const Loading = await loadingPromise;
   const reactStream = renderToNodeStream(<Loading />);
   reactStream.pipe(res, { end: false });
 
   await waitForStream(reactStream);
   res.end(html`
     </div>
     <script>
           var baseURL = "${baseURL}";
           var olmFilename = "${olmFilename}";
           var commQueryExecutorFilename = "${commQueryExecutorFilename}";
           var opaqueURL = "${opaqueURL}";
         </script>
         <script src="${jsURL}"></script>
       </body>
     </html>
   `);
 }
 
 const inviteSecretRegex = /^[a-z0-9]+$/i;
 
 // On native, if this responder is called, it means that the app isn't
 // installed.
 async function inviteResponder(req: $Request, res: $Response): Promise<void> {
   const { secret } = req.params;
   const userAgent = req.get('User-Agent');
   const detectionResult = detectBrowser(userAgent);
   if (detectionResult.os === 'Android OS') {
     const isSecretValid = inviteSecretRegex.test(secret);
     const referrer = isSecretValid
       ? `&referrer=${encodeURIComponent(`utm_source=invite/${secret}`)}`
       : '';
     const redirectUrl = `${stores.googlePlayUrl}${referrer}`;
     res.writeHead(301, {
       Location: redirectUrl,
     });
     res.end();
     return;
   } else if (detectionResult.os !== 'iOS') {
     const urlFacts = getCommAppURLFacts();
     const baseDomain = urlFacts?.baseDomain ?? '';
     const basePath = urlFacts?.basePath ?? '/';
     const redirectUrl = `${baseDomain}${basePath}handle/invite/${secret}`;
     res.writeHead(301, {
       Location: redirectUrl,
     });
     res.end();
     return;
   }
   const fontsURL = await getFontsURL();
   res.end(html`
     <!DOCTYPE html>
     <html lang="en">
       <head>
         <meta charset="utf-8" />
         <title>Comm</title>
         <link rel="stylesheet" type="text/css" href="/${fontsURL}" />
         <style>
           * {
             -webkit-font-smoothing: antialiased;
             -moz-osx-font-smoothing: grayscale;
             box-sizing: border-box;
             padding: 0;
             margin: 0;
           }
 
           html {
             height: 100%;
             font-size: 112.5%;
           }
 
           body {
             font-family: 'Inter', -apple-system, 'Segoe UI', 'Roboto', 'Oxygen',
               'Ubuntu', 'Cantarell', 'Fira Sans', 'Droid Sans', 'Helvetica Neue',
               ui-sans-serif;
             background: #0a0a0a url('/images/invite_link_background.png')
               no-repeat;
             background-size: cover;
             color: #ffffff;
             display: flex;
             flex-direction: column;
             justify-content: space-around;
             align-items: center;
             height: 100%;
             padding: 1.6rem;
             font-size: 1.8rem;
             line-height: 2.4rem;
             font-weight: 500;
           }
 
           section {
             display: flex;
             flex-direction: column;
             align-items: center;
             justify-content: space-between;
             width: 100%;
           }
 
           .card {
             width: 100%;
             padding: 3.2rem 1.6rem;
             gap: 4rem;
             background-color: #1f1f1f;
             border-radius: 1.6rem;
           }
 
           .buttons {
             gap: 1.2rem;
           }
 
           h1 {
             font-size: 3.6rem;
             line-height: 1.5;
             font-weight: 500;
             font-family: 'IBM Plex Sans', sans-serif;
           }
 
           p {
             text-align: center;
           }
 
           .separator {
             border: 1px solid #404040;
             width: 100%;
           }
 
           .button {
             all: unset;
             box-sizing: border-box;
             display: flex;
             justify-content: center;
             align-items: center;
             width: 100%;
             padding: 1.7rem;
             border-radius: 0.4rem;
             border: 1px solid transparent;
             background-color: #6d49ab;
             font-size: 1.6rem;
             line-height: 1.5;
           }
 
           .button.secondary {
             background-color: #1f1f1f;
             border-color: #ffffff;
           }
 
           .link {
             all: unset;
             box-sizing: border-box;
             display: flex;
             align-items: center;
           }
 
           .link-text {
             text-decoration-line: underline;
           }
 
           .logo-container {
             background-color: #0a0a0a;
             width: 4.2rem;
             height: 4.2rem;
             display: flex;
             justify-content: center;
             align-items: center;
             border-radius: 50%;
           }
 
           .logo {
             height: 2.6rem;
           }
 
           .arrow {
             width: 1.8rem;
             height: 1.8rem;
           }
         </style>
       </head>
       <body>
         <div></div>
         <section class="card">
           <section>
             <div class="logo-container">
               <img
                 src="/images/loading_logo.svg"
                 alt="Comm logo"
                 class="logo"
               />
             </div>
             <h1>Comm</h1>
           </section>
           <p>
             To join this community, download the Comm app and reopen this invite
             link
           </p>
           <div class="separator"></div>
           <section class="buttons">
             <a class="button" href="${stores.appStoreUrl}">Download Comm</a>
             <a class="button secondary" href="${inviteLinkURL(secret)}">
               Invite Link
             </a>
           </section>
         </section>
         <a class="link" href="https://comm.app/">
           <span class="link-text">Visit Comm’s website</span>
           <img
             src="/images/arrow_up_right.svg"
             alt="arrow up right"
             class="arrow"
           />
         </a>
       </body>
     </html>
   `);
 }
 
 export { websiteResponder, inviteResponder };
diff --git a/keyserver/src/session/cookies.js b/keyserver/src/session/cookies.js
index 37368c46b..c748598f1 100644
--- a/keyserver/src/session/cookies.js
+++ b/keyserver/src/session/cookies.js
@@ -1,907 +1,889 @@
 // @flow
 
 import crypto from 'crypto';
 import type { $Response, $Request } from 'express';
 import invariant from 'invariant';
 import url from 'url';
 
 import type { Shape } from 'lib/types/core.js';
 import type { SignedIdentityKeysBlob } from 'lib/types/crypto-types.js';
 import { isWebPlatform } from 'lib/types/device-types.js';
 import type { Platform, PlatformDetails } from 'lib/types/device-types.js';
 import type { CalendarQuery } from 'lib/types/entry-types.js';
 import {
   type ServerSessionChange,
   cookieLifetime,
   cookieSources,
   type CookieSource,
   cookieTypes,
   sessionIdentifierTypes,
   type SessionIdentifierType,
 } from 'lib/types/session-types.js';
 import type { SIWESocialProof } from 'lib/types/siwe-types.js';
 import type { InitialClientSocketMessage } from 'lib/types/socket-types.js';
 import type { UserInfo } from 'lib/types/user-types.js';
 import { values } from 'lib/utils/objects.js';
 import { promiseAll } from 'lib/utils/promises.js';
 
 import {
   isBcryptHash,
   getCookieHash,
   verifyCookieHash,
 } from './cookie-hash.js';
 import { Viewer } from './viewer.js';
 import type { AnonymousViewerData, UserViewerData } from './viewer.js';
 import createIDs from '../creators/id-creator.js';
 import { createSession } from '../creators/session-creator.js';
 import { dbQuery, SQL } from '../database/database.js';
 import { deleteCookie } from '../deleters/cookie-deleters.js';
 import { handleAsyncPromise } from '../responders/handlers.js';
 import { clearDeviceToken } from '../updaters/device-token-updaters.js';
 import { assertSecureRequest } from '../utils/security-utils.js';
 import {
   type AppURLFacts,
   getAppURLFactsFromRequestURL,
 } from '../utils/urls.js';
 
 function cookieIsExpired(lastUsed: number) {
   return lastUsed + cookieLifetime <= Date.now();
 }
 
 type SessionParameterInfo = {
   isSocket: boolean,
   sessionID: ?string,
   sessionIdentifierType: SessionIdentifierType,
   ipAddress: string,
   userAgent: ?string,
 };
 
 type FetchViewerResult =
   | { type: 'valid', viewer: Viewer }
   | InvalidFetchViewerResult;
 
 type InvalidFetchViewerResult =
   | {
       type: 'nonexistant',
       cookieName: ?string,
       cookieSource: ?CookieSource,
       sessionParameterInfo: SessionParameterInfo,
     }
   | {
       type: 'invalidated',
       cookieName: string,
       cookieID: string,
       cookieSource: CookieSource,
       sessionParameterInfo: SessionParameterInfo,
       platformDetails: ?PlatformDetails,
       deviceToken: ?string,
     };
 
 async function fetchUserViewer(
   cookie: string,
   cookieSource: CookieSource,
   sessionParameterInfo: SessionParameterInfo,
 ): Promise<FetchViewerResult> {
   const [cookieID, cookiePassword] = cookie.split(':');
   if (!cookieID || !cookiePassword) {
     return {
       type: 'nonexistant',
       cookieName: cookieTypes.USER,
       cookieSource,
       sessionParameterInfo,
     };
   }
 
   const query = SQL`
     SELECT hash, user, last_used, platform, device_token, versions
     FROM cookies
     WHERE id = ${cookieID} AND user IS NOT NULL
   `;
   const [[result], allSessionInfo] = await Promise.all([
     dbQuery(query),
     fetchSessionInfo(sessionParameterInfo, cookieID),
   ]);
   if (result.length === 0) {
     return {
       type: 'nonexistant',
       cookieName: cookieTypes.USER,
       cookieSource,
       sessionParameterInfo,
     };
   }
 
   let sessionID = null,
     sessionInfo = null;
   if (allSessionInfo) {
     ({ sessionID, ...sessionInfo } = allSessionInfo);
   }
 
   const cookieRow = result[0];
   let platformDetails = null;
   if (cookieRow.versions) {
     const versions = JSON.parse(cookieRow.versions);
     platformDetails = {
       platform: cookieRow.platform,
       codeVersion: versions.codeVersion,
       stateVersion: versions.stateVersion,
     };
   } else {
     platformDetails = { platform: cookieRow.platform };
   }
   const deviceToken = cookieRow.device_token;
   const cookieHash = cookieRow.hash;
 
   if (
     !verifyCookieHash(cookiePassword, cookieHash) ||
     cookieIsExpired(cookieRow.last_used)
   ) {
     return {
       type: 'invalidated',
       cookieName: cookieTypes.USER,
       cookieID,
       cookieSource,
       sessionParameterInfo,
       platformDetails,
       deviceToken,
     };
   }
   const userID = cookieRow.user.toString();
   const viewer = new Viewer({
     isSocket: sessionParameterInfo.isSocket,
     loggedIn: true,
     id: userID,
     platformDetails,
     deviceToken,
     userID,
     cookieSource,
     cookieID,
     cookiePassword,
     cookieHash,
     sessionIdentifierType: sessionParameterInfo.sessionIdentifierType,
     sessionID,
     sessionInfo,
     isScriptViewer: false,
     ipAddress: sessionParameterInfo.ipAddress,
     userAgent: sessionParameterInfo.userAgent,
   });
   return { type: 'valid', viewer };
 }
 
 async function fetchAnonymousViewer(
   cookie: string,
   cookieSource: CookieSource,
   sessionParameterInfo: SessionParameterInfo,
 ): Promise<FetchViewerResult> {
   const [cookieID, cookiePassword] = cookie.split(':');
   if (!cookieID || !cookiePassword) {
     return {
       type: 'nonexistant',
       cookieName: cookieTypes.ANONYMOUS,
       cookieSource,
       sessionParameterInfo,
     };
   }
 
   const query = SQL`
     SELECT last_used, hash, platform, device_token, versions
     FROM cookies
     WHERE id = ${cookieID} AND user IS NULL
   `;
   const [[result], allSessionInfo] = await Promise.all([
     dbQuery(query),
     fetchSessionInfo(sessionParameterInfo, cookieID),
   ]);
   if (result.length === 0) {
     return {
       type: 'nonexistant',
       cookieName: cookieTypes.ANONYMOUS,
       cookieSource,
       sessionParameterInfo,
     };
   }
 
   let sessionID = null,
     sessionInfo = null;
   if (allSessionInfo) {
     ({ sessionID, ...sessionInfo } = allSessionInfo);
   }
 
   const cookieRow = result[0];
   let platformDetails = null;
   if (cookieRow.platform && cookieRow.versions) {
     const versions = JSON.parse(cookieRow.versions);
     platformDetails = {
       platform: cookieRow.platform,
       codeVersion: versions.codeVersion,
       stateVersion: versions.stateVersion,
     };
   } else if (cookieRow.platform) {
     platformDetails = { platform: cookieRow.platform };
   }
   const deviceToken = cookieRow.device_token;
   const cookieHash = cookieRow.hash;
 
   if (
     !verifyCookieHash(cookiePassword, cookieHash) ||
     cookieIsExpired(cookieRow.last_used)
   ) {
     return {
       type: 'invalidated',
       cookieName: cookieTypes.ANONYMOUS,
       cookieID,
       cookieSource,
       sessionParameterInfo,
       platformDetails,
       deviceToken,
     };
   }
   const viewer = new Viewer({
     isSocket: sessionParameterInfo.isSocket,
     loggedIn: false,
     id: cookieID,
     platformDetails,
     deviceToken,
     cookieSource,
     cookieID,
     cookiePassword,
     cookieHash,
     sessionIdentifierType: sessionParameterInfo.sessionIdentifierType,
     sessionID,
     sessionInfo,
     isScriptViewer: false,
     ipAddress: sessionParameterInfo.ipAddress,
     userAgent: sessionParameterInfo.userAgent,
   });
   return { type: 'valid', viewer };
 }
 
 type SessionInfo = {
   +sessionID: ?string,
   +lastValidated: number,
   +lastUpdate: number,
   +calendarQuery: CalendarQuery,
 };
 async function fetchSessionInfo(
   sessionParameterInfo: SessionParameterInfo,
   cookieID: string,
 ): Promise<?SessionInfo> {
   const { sessionID } = sessionParameterInfo;
   const session = sessionID !== undefined ? sessionID : cookieID;
   if (!session) {
     return null;
   }
   const query = SQL`
     SELECT query, last_validated, last_update
     FROM sessions
     WHERE id = ${session} AND cookie = ${cookieID}
   `;
   const [result] = await dbQuery(query);
   if (result.length === 0) {
     return null;
   }
   return {
     sessionID,
     lastValidated: result[0].last_validated,
     lastUpdate: result[0].last_update,
     calendarQuery: JSON.parse(result[0].query),
   };
 }
 
 // This function is meant to consume a cookie that has already been processed.
 // That means it doesn't have any logic to handle an invalid cookie, and it
 // doesn't update the cookie's last_used timestamp.
 async function fetchViewerFromCookieData(
   req: $Request,
   sessionParameterInfo: SessionParameterInfo,
 ): Promise<FetchViewerResult> {
   let viewerResult;
   const { user, anonymous } = req.cookies;
   if (user) {
     viewerResult = await fetchUserViewer(
       user,
       cookieSources.HEADER,
       sessionParameterInfo,
     );
   } else if (anonymous) {
     viewerResult = await fetchAnonymousViewer(
       anonymous,
       cookieSources.HEADER,
       sessionParameterInfo,
     );
   } else {
     return {
       type: 'nonexistant',
       cookieName: null,
       cookieSource: null,
       sessionParameterInfo,
     };
   }
 
   // We protect against CSRF attacks by making sure that on web,
   // non-GET requests cannot use a bare cookie for session identification
   if (viewerResult.type === 'valid') {
     const { viewer } = viewerResult;
     invariant(
       req.method === 'GET' ||
         viewer.sessionIdentifierType !== sessionIdentifierTypes.COOKIE_ID ||
         !isWebPlatform(viewer.platform),
       'non-GET request from web using sessionIdentifierTypes.COOKIE_ID',
     );
   }
 
   return viewerResult;
 }
 
 async function fetchViewerFromRequestBody(
   body: mixed,
   sessionParameterInfo: SessionParameterInfo,
 ): Promise<FetchViewerResult> {
   if (!body || typeof body !== 'object') {
     return {
       type: 'nonexistant',
       cookieName: null,
       cookieSource: null,
       sessionParameterInfo,
     };
   }
   const cookiePair = body.cookie;
   if (cookiePair === null || cookiePair === '') {
     return {
       type: 'nonexistant',
       cookieName: null,
       cookieSource: cookieSources.BODY,
       sessionParameterInfo,
     };
   }
   if (!cookiePair || typeof cookiePair !== 'string') {
     return {
       type: 'nonexistant',
       cookieName: null,
       cookieSource: null,
       sessionParameterInfo,
     };
   }
   const [type, cookie] = cookiePair.split('=');
   if (type === cookieTypes.USER && cookie) {
     return await fetchUserViewer(
       cookie,
       cookieSources.BODY,
       sessionParameterInfo,
     );
   } else if (type === cookieTypes.ANONYMOUS && cookie) {
     return await fetchAnonymousViewer(
       cookie,
       cookieSources.BODY,
       sessionParameterInfo,
     );
   }
   return {
     type: 'nonexistant',
     cookieName: null,
     cookieSource: null,
     sessionParameterInfo,
   };
 }
 
 function getRequestIPAddress(req: $Request) {
   const { proxy } = getAppURLFactsFromRequestURL(req.originalUrl);
   let ipAddress;
   if (proxy === 'none') {
     ipAddress = req.socket.remoteAddress;
   } else if (proxy === 'apache') {
     ipAddress = req.get('X-Forwarded-For');
   }
   invariant(ipAddress, 'could not determine requesting IP address');
   return ipAddress;
 }
 
 function getSessionParameterInfoFromRequestBody(
   req: $Request,
 ): SessionParameterInfo {
   const body = (req.body: any);
   let sessionID =
     body.sessionID !== undefined || req.method !== 'GET'
       ? body.sessionID
       : null;
   if (sessionID === '') {
     sessionID = null;
   }
   const sessionIdentifierType =
     req.method === 'GET' || sessionID !== undefined
       ? sessionIdentifierTypes.BODY_SESSION_ID
       : sessionIdentifierTypes.COOKIE_ID;
   return {
     isSocket: false,
     sessionID,
     sessionIdentifierType,
     ipAddress: getRequestIPAddress(req),
     userAgent: req.get('User-Agent'),
   };
 }
 
 async function fetchViewerForJSONRequest(req: $Request): Promise<Viewer> {
   assertSecureRequest(req);
   const sessionParameterInfo = getSessionParameterInfoFromRequestBody(req);
   let result = await fetchViewerFromRequestBody(req.body, sessionParameterInfo);
   if (
     result.type === 'nonexistant' &&
     (result.cookieSource === null || result.cookieSource === undefined)
   ) {
     result = await fetchViewerFromCookieData(req, sessionParameterInfo);
   }
   return await handleFetchViewerResult(result);
 }
 
 const webPlatformDetails = { platform: 'web' };
 async function fetchViewerForHomeRequest(req: $Request): Promise<Viewer> {
   assertSecureRequest(req);
   const sessionParameterInfo = getSessionParameterInfoFromRequestBody(req);
   const result = await fetchViewerFromCookieData(req, sessionParameterInfo);
   return await handleFetchViewerResult(result, webPlatformDetails);
 }
 
 async function fetchViewerForSocket(
   req: $Request,
   clientMessage: InitialClientSocketMessage,
 ): Promise<?Viewer> {
   assertSecureRequest(req);
   const { sessionIdentification } = clientMessage.payload;
   const { sessionID } = sessionIdentification;
   const sessionParameterInfo = {
     isSocket: true,
     sessionID,
     sessionIdentifierType:
       sessionID !== undefined
         ? sessionIdentifierTypes.BODY_SESSION_ID
         : sessionIdentifierTypes.COOKIE_ID,
     ipAddress: getRequestIPAddress(req),
     userAgent: req.get('User-Agent'),
   };
 
   let result = await fetchViewerFromRequestBody(
     clientMessage.payload.sessionIdentification,
     sessionParameterInfo,
   );
   if (
     result.type === 'nonexistant' &&
     (result.cookieSource === null || result.cookieSource === undefined)
   ) {
     result = await fetchViewerFromCookieData(req, sessionParameterInfo);
   }
   if (result.type === 'valid') {
     return result.viewer;
   }
 
   const promises = {};
   if (result.cookieSource === cookieSources.BODY) {
     // We initialize a socket's Viewer after the WebSocket handshake, since to
     // properly initialize the Viewer we need a bunch of data, but that data
     // can't be sent until after the handshake. Consequently, by the time we
     // know that a cookie may be invalid, we are no longer communicating via
     // HTTP, and have no way to set a new cookie for HEADER (web) clients.
     const platformDetails =
       result.type === 'invalidated' ? result.platformDetails : null;
     const deviceToken =
       result.type === 'invalidated' ? result.deviceToken : null;
     promises.anonymousViewerData = createNewAnonymousCookie({
       platformDetails,
       deviceToken,
     });
   }
   if (result.type === 'invalidated') {
     promises.deleteCookie = deleteCookie(result.cookieID);
   }
   const { anonymousViewerData } = await promiseAll(promises);
 
   if (!anonymousViewerData) {
     return null;
   }
 
   return createViewerForInvalidFetchViewerResult(result, anonymousViewerData);
 }
 
 async function handleFetchViewerResult(
   result: FetchViewerResult,
   inputPlatformDetails?: PlatformDetails,
 ) {
   if (result.type === 'valid') {
     return result.viewer;
   }
 
   let platformDetails = inputPlatformDetails;
   if (!platformDetails && result.type === 'invalidated') {
     platformDetails = result.platformDetails;
   }
   const deviceToken = result.type === 'invalidated' ? result.deviceToken : null;
 
   const [anonymousViewerData] = await Promise.all([
     createNewAnonymousCookie({ platformDetails, deviceToken }),
     result.type === 'invalidated' ? deleteCookie(result.cookieID) : null,
   ]);
 
   return createViewerForInvalidFetchViewerResult(result, anonymousViewerData);
 }
 
 function createViewerForInvalidFetchViewerResult(
   result: InvalidFetchViewerResult,
   anonymousViewerData: AnonymousViewerData,
 ): Viewer {
   // If a null cookie was specified in the request body, result.cookieSource
   // will still be BODY here. The only way it would be null or undefined here
   // is if there was no cookie specified in either the body or the header, in
   // which case we default to returning the new cookie in the response header.
   const cookieSource =
     result.cookieSource !== null && result.cookieSource !== undefined
       ? result.cookieSource
       : cookieSources.HEADER;
   const viewer = new Viewer({
     ...anonymousViewerData,
     cookieSource,
     sessionIdentifierType: result.sessionParameterInfo.sessionIdentifierType,
     isSocket: result.sessionParameterInfo.isSocket,
     ipAddress: result.sessionParameterInfo.ipAddress,
     userAgent: result.sessionParameterInfo.userAgent,
   });
   viewer.sessionChanged = true;
 
   // If cookieName is falsey, that tells us that there was no cookie specified
   // in the request, which means we can't be invalidating anything.
   if (result.cookieName) {
     viewer.cookieInvalidated = true;
     viewer.initialCookieName = result.cookieName;
   }
 
   return viewer;
 }
 
 function addSessionChangeInfoToResult(
   viewer: Viewer,
   res: $Response,
   result: Object,
-  appURLFacts: AppURLFacts,
 ) {
   let threadInfos = {},
     userInfos = {};
   if (result.cookieChange) {
     ({ threadInfos, userInfos } = result.cookieChange);
   }
   let sessionChange;
   if (viewer.cookieInvalidated) {
     sessionChange = ({
       cookieInvalidated: true,
       threadInfos,
       userInfos: (values(userInfos).map(a => a): UserInfo[]),
       currentUserInfo: {
         id: viewer.cookieID,
         anonymous: true,
       },
     }: ServerSessionChange);
   } else {
     sessionChange = ({
       cookieInvalidated: false,
       threadInfos,
       userInfos: (values(userInfos).map(a => a): UserInfo[]),
     }: ServerSessionChange);
   }
   if (viewer.cookieSource === cookieSources.BODY) {
     sessionChange.cookie = viewer.cookiePairString;
-  } else {
-    addActualHTTPCookie(viewer, res, appURLFacts);
   }
   if (viewer.sessionIdentifierType === sessionIdentifierTypes.BODY_SESSION_ID) {
     sessionChange.sessionID = viewer.sessionID ? viewer.sessionID : null;
   }
   result.cookieChange = sessionChange;
 }
 
 type AnonymousCookieCreationParams = Shape<{
   +platformDetails: ?PlatformDetails,
   +deviceToken: ?string,
 }>;
 const defaultPlatformDetails = {};
 
 // The result of this function should not be passed directly to the Viewer
 // constructor. Instead, it should be passed to viewer.setNewCookie. There are
 // several fields on AnonymousViewerData that are not set by this function:
 // sessionIdentifierType, cookieSource, ipAddress, and userAgent. These
 // parameters all depend on the initial request. If the result of this function
 // is passed to the Viewer constructor directly, the resultant Viewer object
 // will throw whenever anybody attempts to access the relevant properties.
 async function createNewAnonymousCookie(
   params: AnonymousCookieCreationParams,
 ): Promise<AnonymousViewerData> {
   const { platformDetails, deviceToken } = params;
   const { platform, ...versions } = platformDetails || defaultPlatformDetails;
   const versionsString =
     Object.keys(versions).length > 0 ? JSON.stringify(versions) : null;
 
   const time = Date.now();
   const cookiePassword = crypto.randomBytes(32).toString('hex');
   const cookieHash = getCookieHash(cookiePassword);
   const [[id]] = await Promise.all([
     createIDs('cookies', 1),
     deviceToken ? clearDeviceToken(deviceToken) : undefined,
   ]);
 
   const cookieRow = [
     id,
     cookieHash,
     null,
     platform,
     time,
     time,
     deviceToken,
     versionsString,
   ];
   const query = SQL`
     INSERT INTO cookies(id, hash, user, platform, creation_time, last_used,
       device_token, versions)
     VALUES ${[cookieRow]}
   `;
   await dbQuery(query);
   return {
     loggedIn: false,
     id,
     platformDetails,
     deviceToken,
     cookieID: id,
     cookiePassword,
     cookieHash,
     sessionID: undefined,
     sessionInfo: null,
     cookieInsertedThisRequest: true,
     isScriptViewer: false,
   };
 }
 
 type UserCookieCreationParams = {
   +platformDetails: PlatformDetails,
   +deviceToken?: ?string,
   +socialProof?: ?SIWESocialProof,
   +signedIdentityKeysBlob?: ?SignedIdentityKeysBlob,
 };
 
 // The result of this function should never be passed directly to the Viewer
 // constructor. Instead, it should be passed to viewer.setNewCookie. There are
 // several fields on UserViewerData that are not set by this function:
 // sessionID, sessionIdentifierType, cookieSource, and ipAddress. These
 // parameters all depend on the initial request. If the result of this function
 // is passed to the Viewer constructor directly, the resultant Viewer object
 // will throw whenever anybody attempts to access the relevant properties.
 async function createNewUserCookie(
   userID: string,
   params: UserCookieCreationParams,
 ): Promise<UserViewerData> {
   const { platformDetails, deviceToken, socialProof, signedIdentityKeysBlob } =
     params;
   const { platform, ...versions } = platformDetails || defaultPlatformDetails;
   const versionsString =
     Object.keys(versions).length > 0 ? JSON.stringify(versions) : null;
 
   const time = Date.now();
   const cookiePassword = crypto.randomBytes(32).toString('hex');
   const cookieHash = getCookieHash(cookiePassword);
   const [[cookieID]] = await Promise.all([
     createIDs('cookies', 1),
     deviceToken ? clearDeviceToken(deviceToken) : undefined,
   ]);
 
   const cookieRow = [
     cookieID,
     cookieHash,
     userID,
     platform,
     time,
     time,
     deviceToken,
     versionsString,
     JSON.stringify(socialProof),
     signedIdentityKeysBlob ? JSON.stringify(signedIdentityKeysBlob) : null,
   ];
   const query = SQL`
     INSERT INTO cookies(id, hash, user, platform, creation_time, last_used,
       device_token, versions, social_proof, signed_identity_keys)
     VALUES ${[cookieRow]}
   `;
   await dbQuery(query);
   return {
     loggedIn: true,
     id: userID,
     platformDetails,
     deviceToken,
     userID,
     cookieID,
     sessionID: undefined,
     sessionInfo: null,
     cookiePassword,
     cookieHash,
     cookieInsertedThisRequest: true,
     isScriptViewer: false,
   };
 }
 
 // This gets called after createNewUserCookie and from websiteResponder. If the
 // Viewer's sessionIdentifierType is COOKIE_ID then the cookieID is used as the
 // session identifier; otherwise, a new ID is created for the session.
 async function setNewSession(
   viewer: Viewer,
   calendarQuery: CalendarQuery,
   initialLastUpdate: number,
 ): Promise<void> {
   if (viewer.sessionIdentifierType !== sessionIdentifierTypes.COOKIE_ID) {
     const [sessionID] = await createIDs('sessions', 1);
     viewer.setSessionID(sessionID);
   }
   await createSession(viewer, calendarQuery, initialLastUpdate);
 }
 
 async function updateCookie(viewer: Viewer) {
   const time = Date.now();
   const { cookieID, cookieHash, cookiePassword } = viewer;
 
   const updateObj = {};
   updateObj.last_used = time;
   if (isBcryptHash(cookieHash)) {
     updateObj.hash = getCookieHash(cookiePassword);
   }
   const query = SQL`
     UPDATE cookies SET ${updateObj} WHERE id = ${cookieID}
   `;
   await dbQuery(query);
 }
 
 function addCookieToJSONResponse(
   viewer: Viewer,
   res: $Response,
   result: Object,
   expectCookieInvalidation: boolean,
-  appURLFacts: AppURLFacts,
 ) {
   if (expectCookieInvalidation) {
     viewer.cookieInvalidated = false;
   }
   if (!viewer.getData().cookieInsertedThisRequest) {
     handleAsyncPromise(updateCookie(viewer));
   }
   if (viewer.sessionChanged) {
-    addSessionChangeInfoToResult(viewer, res, result, appURLFacts);
-  } else if (viewer.cookieSource !== cookieSources.BODY) {
-    addActualHTTPCookie(viewer, res, appURLFacts);
+    addSessionChangeInfoToResult(viewer, res, result);
   }
 }
 
 function addCookieToHomeResponse(
-  viewer: Viewer,
+  req: $Request,
   res: $Response,
   appURLFacts: AppURLFacts,
 ) {
-  if (!viewer.getData().cookieInsertedThisRequest) {
-    handleAsyncPromise(updateCookie(viewer));
+  const { user, anonymous } = req.cookies;
+  if (user) {
+    res.cookie(cookieTypes.USER, user, getCookieOptions(appURLFacts));
+  }
+  if (anonymous) {
+    res.cookie(cookieTypes.ANONYMOUS, anonymous, getCookieOptions(appURLFacts));
   }
-  addActualHTTPCookie(viewer, res, appURLFacts);
 }
 
 function getCookieOptions(appURLFacts: AppURLFacts) {
   const { baseDomain, basePath, https } = appURLFacts;
   const domainAsURL = new url.URL(baseDomain);
   return {
     domain: domainAsURL.hostname,
     path: basePath,
     httpOnly: false,
     secure: https,
     maxAge: cookieLifetime,
     sameSite: 'Strict',
   };
 }
 
-function addActualHTTPCookie(
-  viewer: Viewer,
-  res: $Response,
-  appURLFacts: AppURLFacts,
-) {
-  res.cookie(
-    viewer.cookieName,
-    viewer.cookieString,
-    getCookieOptions(appURLFacts),
-  );
-  if (viewer.cookieName !== viewer.initialCookieName) {
-    res.clearCookie(viewer.initialCookieName, getCookieOptions(appURLFacts));
-  }
-}
-
 async function setCookieSignedIdentityKeysBlob(
   cookieID: string,
   signedIdentityKeysBlob: SignedIdentityKeysBlob,
 ) {
   const signedIdentityKeysStr = JSON.stringify(signedIdentityKeysBlob);
   const query = SQL`
     UPDATE cookies 
     SET signed_identity_keys = ${signedIdentityKeysStr}
     WHERE id = ${cookieID}
   `;
   await dbQuery(query);
 }
 
 // Returns `true` if row with `id = cookieID` exists AND
 // `signed_identity_keys` is `NULL`. Otherwise, returns `false`.
 async function isCookieMissingSignedIdentityKeysBlob(
   cookieID: string,
 ): Promise<boolean> {
   const query = SQL`
     SELECT signed_identity_keys
     FROM cookies 
     WHERE id = ${cookieID}
   `;
   const [queryResult] = await dbQuery(query);
   return (
     queryResult.length === 1 && queryResult[0].signed_identity_keys === null
   );
 }
 
 async function isCookieMissingOlmNotificationsSession(
   viewer: Viewer,
 ): Promise<boolean> {
   if (
     !viewer.platformDetails ||
     (viewer.platformDetails.platform !== 'ios' &&
       viewer.platformDetails.platform !== 'android') ||
     !viewer.platformDetails.codeVersion ||
     viewer.platformDetails.codeVersion <= 222
   ) {
     return false;
   }
   const query = SQL`
     SELECT COUNT(*) AS count
     FROM olm_sessions
     WHERE cookie_id = ${viewer.cookieID} AND is_content = FALSE
   `;
   const [queryResult] = await dbQuery(query);
   return queryResult[0].count === 0;
 }
 
 async function setCookiePlatform(
   viewer: Viewer,
   platform: Platform,
 ): Promise<void> {
   const newPlatformDetails = { ...viewer.platformDetails, platform };
   viewer.setPlatformDetails(newPlatformDetails);
   const query = SQL`
     UPDATE cookies
     SET platform = ${platform}
     WHERE id = ${viewer.cookieID}
   `;
   await dbQuery(query);
 }
 
 async function setCookiePlatformDetails(
   viewer: Viewer,
   platformDetails: PlatformDetails,
 ): Promise<void> {
   viewer.setPlatformDetails(platformDetails);
   const { platform, ...versions } = platformDetails;
   const versionsString =
     Object.keys(versions).length > 0 ? JSON.stringify(versions) : null;
   const query = SQL`
     UPDATE cookies
     SET platform = ${platform}, versions = ${versionsString}
     WHERE id = ${viewer.cookieID}
   `;
   await dbQuery(query);
 }
 
 export {
   fetchViewerForJSONRequest,
   fetchViewerForHomeRequest,
   fetchViewerForSocket,
   createNewAnonymousCookie,
   createNewUserCookie,
   setNewSession,
   updateCookie,
   addCookieToJSONResponse,
   addCookieToHomeResponse,
   setCookieSignedIdentityKeysBlob,
   isCookieMissingSignedIdentityKeysBlob,
   setCookiePlatform,
   setCookiePlatformDetails,
   isCookieMissingOlmNotificationsSession,
 };