diff --git a/README.md b/README.md
index 6d38308..ebc0ef4 100644
--- a/README.md
+++ b/README.md
@@ -83,3 +83,9 @@ server {
     }
 }
 ```
+
+## Documentation
+
+* /oauth2/sign_in - the login page, which also doubles as a sign out page (it clears cookies)
+* /oauth2/start - a URL that will redirect to start the oauth cycle
+* /oauth2/callback - the URL used at the end of the oauth cycle
diff --git a/oauthproxy.go b/oauthproxy.go
index 44ede97..fcb3553 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -148,13 +148,13 @@ func (p *OauthProxy) getUserInfo(token string) (string, error) {
 	return email, nil
 }
 
-func ClearCookie(rw http.ResponseWriter, req *http.Request, key string) {
+func (p *OauthProxy) ClearCookie(rw http.ResponseWriter, req *http.Request) {
 	domain := strings.Split(req.Host, ":")[0]
 	if *cookieDomain != "" {
 		domain = *cookieDomain
 	}
 	cookie := &http.Cookie{
-		Name:     key,
+		Name:     p.CookieKey,
 		Value:    "",
 		Path:     "/",
 		Domain:   domain,
@@ -164,6 +164,25 @@ func ClearCookie(rw http.ResponseWriter, req *http.Request, key string) {
 	http.SetCookie(rw, cookie)
 }
 
+func (p *OauthProxy) SetCookie(rw http.ResponseWriter, req *http.Request, val string) {
+	
+	domain := strings.Split(req.Host, ":")[0] // strip the port (if any)
+	if *cookieDomain != "" {
+		domain = *cookieDomain
+	}
+	cookie := &http.Cookie{
+		Name:     p.CookieKey,
+		Value:    signedCookieValue(p.CookieSeed, p.CookieKey, val),
+		Path:     "/",
+		Domain:   domain,
+		Expires:  time.Now().Add(time.Duration(168) * time.Hour), // 7 days
+		HttpOnly: true,
+		// Secure: req. ... ? set if X-Scheme: https ?
+	}
+	http.SetCookie(rw, cookie)
+}
+
+
 func (p *OauthProxy) ErrorPage(rw http.ResponseWriter, code int, title string, message string) {
 	log.Printf("ErrorPage %d %s %s", code, title, message)
 	rw.WriteHeader(code)
@@ -180,6 +199,7 @@ func (p *OauthProxy) ErrorPage(rw http.ResponseWriter, code int, title string, m
 
 func (p *OauthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code int) {
 	// TODO: capture state for which url to redirect to at the end
+	p.ClearCookie(rw, req)
 	rw.WriteHeader(code)
 	templates := getTemplates()
 	t := struct{ SignInMessage string }{SignInMessage: p.SignInMessage}
@@ -189,7 +209,6 @@ func (p *OauthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code
 func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 	// check if this is a redirect back at the end of oauth
 	if req.URL.Path == signInPath {
-		ClearCookie(rw, req, p.CookieKey)
 		p.SignInPage(rw, req, 200)
 		return
 	}
@@ -232,21 +251,7 @@ func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 		// set cookie, or deny
 		if p.Validator(email) {
 			log.Printf("authenticating %s completed", email)
-			domain := strings.Split(req.Host, ":")[0]
-			if *cookieDomain != "" {
-				domain = *cookieDomain
-			}
-
-			cookie := &http.Cookie{
-				Name:     p.CookieKey,
-				Value:    signedCookieValue(p.CookieSeed, p.CookieKey, email),
-				Path:     "/",
-				Domain:   domain,
-				Expires:  time.Now().Add(time.Duration(168) * time.Hour), // 7 days
-				HttpOnly: true,
-				// Secure: req. ... ? set if X-Scheme: https ?
-			}
-			http.SetCookie(rw, cookie)
+			p.SetCookie(rw, req, email)
 			http.Redirect(rw, req, "/", 302)
 			return
 		} else {
@@ -266,6 +271,9 @@ func (p *OauthProxy) ServeHTTP(rw http.ResponseWriter, req *http.Request) {
 
 	if !ok {
 		user, ok = p.CheckBasicAuth(req)
+		if ok {
+			p.SetCookie(rw, req, user)
+		}
 	}
 
 	if !ok {