We (somewhat) recently added bearer tokens to the REST API to make using the API easier for developers, but I was wondering what the consensus was regarding allowing auth via the normal browser cookie?
Like bearer tokens and the normal web session, it would require SSL. I can't think of any issues with it, personally, since it would have the same security as the normal browser session. Same-origin policy ought to prevent data leakage on GET requests, and requiring POST for action end-points ought to prevent any other shenanigans. Is there anything else I'm missing? Any other reason not to add the normal session cookie as an API auth option?
