That’s very disappointing! I was under the impression that “personal” meant “accesible by my user only”! That personal option is great opportunity for data leaks 
Ohhh I see the confusion. When I mentioned cookies, I was referring to cookies created by the web app. But I realize now that makes no sense! lol I was pretty tired when I wrote that. That’s why it was confusing to you guess. The app inside the iframe has full control over the cookies and if the session cookie exists, you are logged in. No need to get Coda involved.
That’s VERY frustrating! And it also means that any new trick will also receive a counter measure and stop working.
Looks like I met, fell in love, and want to break up in less than a week!
I just sent a suggestion to at least remove the warning for “approved email domains”. That would be something to me
Here it is: