Why not just not send cookies instead of blocking the request completely?