Hi grahamgatus
out of curiosity, why this behavior is identifier as a risk? I would normally say that in this situation, this is the desired behavior. If a user is logged in in their browser, they should be able to see data that is avaialble to their account.
Thanks,
I am trying to compare a few alternatives to fetching content from Lithum, one using the browser to make API calls (which get to take advantage of any session cookies that logged in users may have for the cross domain AJAX requests back into Lithium), and the other making REST calls from the server, which will be unauthenticated at this point in time.
If we had a variety of modules deployed onto our site that talk to Lithium, some making direct browser calls and some calling Lithium from the server, there may be differences in returned content for logged in and non logged in users.
I am trying to assess what would be the best options. At this point, as you suggest, it is probably a better experience to pass through the session cookie.
