Receiving name & password parameters does not prevent us from also
receiving the authentication cookie. It must not be kept in the request.
And likewise for requests also containing an HTTP authentication header.
And likewise for requests for which CookieCrumbler disables itself on.