diff --git a/controllers/core/core.go b/controllers/core/core.go
index ae5604d..82f4807 100644
--- a/controllers/core/core.go
+++ b/controllers/core/core.go
@@ -154,6 +154,8 @@ func UserLogin() gin.HandlerFunc {
 		}
 
 		jwt, maxAge := u.GetJwt()
+		//TODO we should set the domain for this cookie via a variable as it may not
+		// always be /v1/sec
 		c.SetCookie(JwtHeader, jwt, maxAge, "/v1/sec/", "", true, true)
 		<-minTime
 	}
@@ -359,7 +361,7 @@ func AdminLogin() gin.HandlerFunc {
 		}
 
 		jwt, maxAge := a.GetJwt()
-		c.SetCookie(JwtHeader, jwt, maxAge, "/v1/sec/", "", true, true)
+		c.SetCookie(JwtHeader, jwt, maxAge, "/v1/adm/", "", true, true)
 		<-minTime
 	}
 }
@@ -563,4 +565,4 @@ func checkTwoFactorNotReused(a *models.Auth, tfCode string) bool {
 // @Param twofactorcode query string true "2FA authentication code"
 // @Router /sec/2fa-doot [get]
 // @Success 200
-func secureDootDefinition() {}
+func SecureDootDefinition() {}
diff --git a/controllers/ratelimit.go b/controllers/ratelimit.go
index b1907d0..19ba2d9 100644
--- a/controllers/ratelimit.go
+++ b/controllers/ratelimit.go
@@ -91,6 +91,10 @@ var unauthed = megabucket{
 	},
 }
 
+/**
+ * Applies rate limiting to unauthorized actors based on their IP address.
+ * Imperfect, but better than a stab to the eye with a blunt pencil.
+ */
 func UnauthRateLimit() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		ip := c.ClientIP()
@@ -109,6 +113,10 @@ var authed = megabucket{
 	},
 }
 
+/**
+ *  Authorized rate limit. Using the UID of the authorized user as the
+ *  accessor signature, rate limit based on the preexisting rules.
+ */
 func AuthedRateLimit() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		pif, exists := c.Get("principal")