[bullen]

Aha, well why do you need to send a header when you can just put the data on the GET URL like so "blabla?cookie=erWR32" for example?

In my example I use this code:

        var source = new EventSource('pull?name=one');
        source.onmessage = function (event) {
           document.getElementById('events').innerHTML += event.data;
        };

[tytho]

I think that works great! The complaint I’ve heard is that you may need to support multiple ways to authenticate opening up more attack surface.

[kreetx]

What if you use http-only cookies?

[tytho]

You can pass a ‘withCredentials’ option.