[xrstf]

Yeah, cookie-based auth seems suuuper convenient, especially when you build a project that's something like a CMS based on a REST API and you don't want to send auth headers back and forth all the time.

But remember: as soon as you use cookies (or anything else the browser sends by itself automatically), you need to make sure that you know that your user initiated the request, or else you get XSRF issues.

And combined with JSONP, this is basically game-over. However, when the cookie-based auth is removed, I see no problems with JSONP (for the server; the one using the JSONP has to have trust in the server to not set malicious code).