diff --git a/copyparty/httpcli.py b/copyparty/httpcli.py
index 9bb35cc5..cc56a8b4 100644
--- a/copyparty/httpcli.py
+++ b/copyparty/httpcli.py
@@ -2161,17 +2161,17 @@ class HttpCli(object):
 
             msg = "naw dude"
             pwd = "x"  # nosec
-            dur = None
+            dur = 0
 
         if pwd == "x":
             # reset both plaintext and tls
             # (only affects active tls cookies when tls)
             for k in ("cppwd", "cppws") if self.is_https else ("cppwd",):
-                ck = gencookie(k, pwd, self.args.R, False, dur)
+                ck = gencookie(k, pwd, self.args.R, False)
                 self.out_headerlist.append(("Set-Cookie", ck))
         else:
             k = "cppws" if self.is_https else "cppwd"
-            ck = gencookie(k, pwd, self.args.R, self.is_https, dur)
+            ck = gencookie(k, pwd, self.args.R, self.is_https, dur, "; HttpOnly")
             self.out_headerlist.append(("Set-Cookie", ck))
 
         return msg
@@ -3299,7 +3299,7 @@ class HttpCli(object):
         if v == "y":
             dur = 86400 * 299
         else:
-            dur = None
+            dur = 0
             v = "x"
 
         ck = gencookie("k304", v, self.args.R, False, dur)
@@ -3317,7 +3317,7 @@ class HttpCli(object):
 
     def set_cfg_reset(self) -> bool:
         for k in ("k304", "js", "idxh", "cppwd", "cppws"):
-            cookie = gencookie(k, "x", self.args.R, False, None)
+            cookie = gencookie(k, "x", self.args.R, False)
             self.out_headerlist.append(("Set-Cookie", cookie))
 
         self.redirect("", "?h#cc")
diff --git a/copyparty/util.py b/copyparty/util.py
index 95388714..7d3dab91 100644
--- a/copyparty/util.py
+++ b/copyparty/util.py
@@ -1647,16 +1647,15 @@ def gen_filekey_dbg(
     return ret
 
 
-def gencookie(k: str, v: str, r: str, tls: bool, dur: Optional[int]) -> str:
+def gencookie(k: str, v: str, r: str, tls: bool, dur: int = 0, txt: str = "") -> str:
     v = v.replace("%", "%25").replace(";", "%3B")
     if dur:
         exp = formatdate(time.time() + dur, usegmt=True)
     else:
         exp = "Fri, 15 Aug 1997 01:00:00 GMT"
 
-    return "{}={}; Path=/{}; Expires={}{}; SameSite=Lax".format(
-        k, v, r, exp, "; Secure" if tls else ""
-    )
+    t = "%s=%s; Path=/%s; Expires=%s%s%s; SameSite=Lax"
+    return t % (k, v, r, exp, "; Secure" if tls else "", txt)
 
 
 def humansize(sz: float, terse: bool = False) -> str:
@@ -2511,7 +2510,7 @@ def killtree(root: int) -> None:
 def _find_nice() -> str:
     if WINDOWS:
         return ""  # use creationflags
-    
+
     try:
         zs = shutil.which("nice")
         if zs:
diff --git a/copyparty/web/browser.js b/copyparty/web/browser.js
index 88afe800..5a39a3b7 100644
--- a/copyparty/web/browser.js
+++ b/copyparty/web/browser.js
@@ -1506,7 +1506,6 @@ var mpl = (function () {
 			artist = (np.circle && np.circle != np.artist ? np.circle + ' // ' : '') + (np.artist || (fns.length > 1 ? fns[0] : '')),
 			title = np.title || fns.pop(),
 			cover = '',
-			pcover = '',
 			tags = { title: title };
 
 		if (artist)
@@ -1521,20 +1520,14 @@ var mpl = (function () {
 
 			for (var a = 0, aa = files.length; a < aa; a++) {
 				if (/^(cover|folder)\.(jpe?g|png|gif)$/i.test(files[a].textContent)) {
-					cover = noq_href(files[a]);
+					cover = files[a].getAttribute('href');
 					break;
 				}
 			}
 
 			if (cover) {
 				cover += (cover.indexOf('?') === -1 ? '?' : '&') + 'th=j';
-				pcover = cover;
-
-				var pwd = get_pwd();
-				if (pwd)
-					pcover += '&pw=' + uricom_enc(pwd);
-
-				tags.artwork = [{ "src": pcover, type: "image/jpeg" }];
+				tags.artwork = [{ "src": cover, type: "image/jpeg" }];
 			}
 		}
 
@@ -1546,7 +1539,7 @@ var mpl = (function () {
 		ebi('np_dur').textContent = np['.dur'] || '';
 		ebi('np_url').textContent = get_vpath() + np.file.split('?')[0];
 		if (!MOBILE)
-			ebi('np_img').setAttribute('src', cover || ''); // dont give last.fm the pwd
+			ebi('np_img').setAttribute('src', cover || '');
 
 		navigator.mediaSession.metadata = new MediaMetadata(tags);
 		navigator.mediaSession.setActionHandler('play', mplay);
@@ -1724,7 +1717,7 @@ function MPlayer() {
 		var t0 = Date.now();
 
 		if (mpl.waves)
-			fetch(url + '&th=p').then(function (x) {
+			fetch(url.replace(/\bth=opus&/, '') + '&th=p').then(function (x) {
 				x.body.getReader().read();
 			});
 
@@ -3020,7 +3013,7 @@ function play(tid, is_ev, seek) {
 
 		pbar.unwave();
 		if (mpl.waves)
-			pbar.loadwaves(url + '&th=p');
+			pbar.loadwaves(url.replace(/\bth=opus&/, '') + '&th=p');
 
 		mpui.progress_updater();
 		pbar.onresize();
diff --git a/copyparty/web/util.js b/copyparty/web/util.js
index 822b958f..9dfea822 100644
--- a/copyparty/web/util.js
+++ b/copyparty/web/util.js
@@ -754,17 +754,6 @@ function noq_href(el) {
 }
 
 
-function get_pwd() {
-    var k = HTTPS ? 's=' : 'd=',
-        pwd = ('; ' + document.cookie).split('; cppw' + k);
-
-    if (pwd.length < 2)
-        return null;
-
-    return decodeURIComponent(pwd[1].split(';')[0]);
-}
-
-
 function unix2iso(ts) {
     return new Date(ts * 1000).toISOString().replace("T", " ").slice(0, -5);
 }