In my humble opinion, passing session information in a
URL is a bad
idea. This could lead to social engineering attacks "paste your
address to me" where people can then get the Session ID and thus
manipulate the user's login. This is why cookies are the default.
In general,
you are right. However, I doubt if this api use will happen
often: the api is an advanced *programming* interface, and not meant for
general client use ;). I assume Yuri wants to introduce it because many
simple (and even many more advanced) http client libraries do not support
cookies.
POST would probably work okay, though. But then,
you'd have to use
buttons to go anywhere on your site, and the code just starts becoming
unmaintainable.
Well, again, no. For api use this could be used, as the client can
just
add post data. It's not necessary to browse the entire wiki using this
system, only api.php has to accept it :)
--valhallasw