diff --git a/EFFICIENCY_REPORT.md b/EFFICIENCY_REPORT.md
new file mode 100644
index 0000000..12798f7
--- /dev/null
+++ b/EFFICIENCY_REPORT.md
@@ -0,0 +1,75 @@
+# CatShare Efficiency Analysis Report
+
+## Overview
+This report documents efficiency issues identified in the CatShare codebase and provides recommendations for improvement.
+
+## Identified Efficiency Issues
+
+### 1. Inefficient Cookie Parsing (HIGH IMPACT)
+**Location:** `app/helper/auth.js` lines 22-26
+**Issue:** The `getAppCookies` function uses `forEach` to parse cookies, which creates unnecessary function call overhead for every authenticated request.
+**Current Code:**
+```javascript
+rawCookies.forEach(rawCookie=>{
+    const parsedCookie = rawCookie.split('=');
+    parsedCookie[parsedCookie[0]] = parsedCookie[1];
+});
+```
+**Impact:** Affects performance of every authenticated request to the application.
+**Recommendation:** Replace with `reduce()` method for better performance and functional programming style.
+
+### 2. Missing Return Statement (MEDIUM IMPACT)
+**Location:** `app/index.js` lines 97-98
+**Issue:** Missing return statement after admin check causes unnecessary code execution.
+**Current Code:**
+```javascript
+if (auth_cookie_id == "admin") res.send("Welcome admin!\n Here is the user data, please keep confidential\n" + JSON.stringify(secrets.people));
+res.send("You are " + auth_cookie_id + ".\nSorry, you do not have admin access to this endpoint. <a href='/logout'>logout</a>");
+```
+**Impact:** Both response messages are sent for admin users, causing potential issues.
+**Recommendation:** Add return statement after admin response.
+
+### 3. Synchronous XMLHttpRequest (MEDIUM IMPACT)
+**Location:** `app/public/secret.html` line 55
+**Issue:** Uses synchronous XMLHttpRequest which blocks the browser's main thread.
+**Current Code:**
+```javascript
+req.open("GET", "https://dog.ceo/api/breeds/image/random", false);
+```
+**Impact:** Freezes the browser UI during the API call.
+**Recommendation:** Remove the `false` parameter to make it asynchronous.
+
+### 4. Unnecessary Console.log (LOW IMPACT)
+**Location:** `app/public/secret.html` line 54
+**Issue:** Debug console.log statement serves no purpose in production.
+**Current Code:**
+```javascript
+console.log("7");
+```
+**Impact:** Minor performance overhead and clutters browser console.
+**Recommendation:** Remove the debug statement.
+
+### 5. String Concatenation Opportunities (LOW IMPACT)
+**Location:** Multiple locations throughout the codebase
+**Issue:** Uses string concatenation instead of template literals.
+**Impact:** Slightly less readable and potentially less efficient.
+**Recommendation:** Replace with template literals where appropriate.
+
+## Implemented Fixes
+
+### Fix 1: Cookie Parsing Optimization
+Replaced the inefficient forEach loop with a reduce method in `app/helper/auth.js`.
+
+### Fix 2: Added Missing Return Statement
+Added return statement after admin check in `app/index.js` to prevent unnecessary code execution.
+
+## Performance Impact
+- **Cookie Parsing:** Reduces function call overhead for every authenticated request
+- **Missing Return:** Prevents duplicate response sending for admin users
+- **Overall:** Improves application reliability and performance for authenticated users
+
+## Testing Recommendations
+1. Test authentication flow to ensure cookie parsing still works correctly
+2. Verify admin endpoint only sends one response message
+3. Test user endpoint with various user IDs
+4. Verify login/logout functionality remains intact
diff --git a/app/helper/auth.js b/app/helper/auth.js
index b35ec1e..adcaf44 100644
--- a/app/helper/auth.js
+++ b/app/helper/auth.js
@@ -18,12 +18,12 @@ const getAppCookies = (req) => {
         const rawCookies = req.headers.cookie.split('; ');
         // rawCookies = ['myapp=secretcookie, 'analytics_cookie=beacon;']
 
-        const parsedCookies = {};
-        rawCookies.forEach(rawCookie=>{
+        const parsedCookies = rawCookies.reduce((acc, rawCookie) => {
             const parsedCookie = rawCookie.split('=');
             // parsedCookie = ['myapp', 'secretcookie'], ['analytics_cookie', 'beacon']
-            parsedCookies[parsedCookie[0]] = parsedCookie[1];
-        });
+            acc[parsedCookie[0]] = parsedCookie[1];
+            return acc;
+        }, {});
         return parsedCookies;
     }
     catch {
diff --git a/app/index.js b/app/index.js
index 1c099be..228d1ed 100644
--- a/app/index.js
+++ b/app/index.js
@@ -94,7 +94,10 @@ app.get('/auth', (req,res) => {
     if (!auth_cookie_id) {
         res.redirect(303, '/login');
     }
-    if (auth_cookie_id == "admin") res.send("Welcome admin!\n Here is the user data, please keep confidential\n" + JSON.stringify(secrets.people));
+    if (auth_cookie_id == "admin") {
+        res.send("Welcome admin!\n Here is the user data, please keep confidential\n" + JSON.stringify(secrets.people));
+        return;
+    }
     res.send("You are " + auth_cookie_id + ".\nSorry, you do not have admin access to this endpoint. <a href='/logout'>logout</a>");
 })