incubator-allura-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Cory Johns <>
Subject REST API: Cookie auth?
Date Tue, 10 Dec 2013 20:01:58 GMT
We (somewhat) recently added bearer tokens to the REST API to make using
the API easier for developers, but I was wondering what the consensus was
regarding allowing auth via the normal browser cookie?

Like bearer tokens and the normal web session, it would require SSL.  I
can't think of any issues with it, personally, since it would have the same
security as the normal browser session.

Same-origin policy ought to prevent data leakage on GET requests, and
requiring POST for action end-points ought to prevent any other
shenanigans.  Is there anything else I'm missing?  Any other reason not to
add the normal session cookie as an API auth option?

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message