We need to do this ugly thing because CORS and single sign-on do not
play well together, most importantly they break on redirects to the
sso-server (which is cross-origin), so you need to be logged in
already on all backends (monitor, alerts) for the page to "work"...