Major Description
The client-side of Guacamole has stored the authentication token for Guacamole's REST services within a cookie called GUAC_AUTH since roughly 0.9.4, part of the general refactor that occurred migrating from traditional Java servlets to an AngularJS single-page app. Though the cookie is only actually used client-side, it is still a cookie and is thus sent over the network automatically by the browser to the Guacamole server, where it is ultimately received and completely ignored.
This unnecessary use of cookies should be removed and replaced with something more in line with the way the auth token is actually used, such as localStorage.