Renamed the "Sign In" button on the website to "Launch App". That way there’s no need to check if the user is authenticated to show the username.

IOW, I can serve the website statically. So no iframe is needed for dynamic parts, or allowing the cookie from a subdomain on the www.