i've noticed that when i test my api with postman, the response contains an access_token and an sidRefreshToken, but when i test a GET endpoint on my api with a browser, i will receive 3 cookies: access_token, sidRefreshToken and refreshToken any ideas why this is happening?