Isn't the cookie posing security risks if storing the access token? Which is why my train of thought was to store the 'access token' in the app itself by way of a data store and store the refresh token in the cookie with appropriate config so that on reload the SPA can use the refresh token to request for another 'access token' to avoid re-login for the user.