eliminate cookie sessions for webapp API

we have two options for preventing CSRF with the API:

if use want to still allow cookie sessions, then we must then also validate the authenticity_token when the cookie is used.

alternately, we can ignore cookies altogether in the API, and require a SESSION_TOKEN directly in the request, either as a header, a parameter, or as the password to HTTP basic auth.

using SESSION_TOKEN via http basic auth should still allow the web app to use the api, because it can construct urls for the api like

https://username:SESSION_TOKEN@api.domain.net/1/users.json

i think it is cleaner to eliminate cookies from the api. i don't know if this will break the clients. probably best to first add cookie-less SESSION_TOKEN-based API, then switch clients to use it, then eliminate api cookies.

(from redmine: created on 2013-07-14, closed on 2013-09-20)

• Relations:
  • duplicates #3518 (closed)