I had to read the article three times to understand that the “registration cookie” is not actually an HTTP cookie but a token.