Voting starts in March for the Drupal Association Board election.
Per today's SA, http://drupal.org/node/1890222, Cookie-based authentication for REST POST requests is insecure, particularly if you're running "certain browser plugins". (Need we guess which?) That can be worked around with a token, and we'll have to add support for that to Drupal 8 as well.
However, cookie-based authentication is not an appropriate approach for REST in the first place. It's not really "RESTful" because it's stateful, and it's really designed for browsers, not for web services. Instead, there are two more appropriate methods for doing user authentication for REST:
1) Http Basic Auth: Baked into the HTTP Spec, very simple.
2) OAuth: A big complex mess with less standardization than you might think.
OAuth is not going to make it into core for Drupal 8, and that's fine. It can live in contrib. However, we really should try to get Http Auth in so that we can do "proper" authenticated REST requests out of the box. It's very likely that we can steal code from http://drupal.org/project/services_basic_auth to save time.
The tricky part is that we don't have an authentication API right now. We have a session-login API (aka, a cookie-based one) that sets a global. This may necessitate cleaning that up so that we have an actual API to work with.
Also no doubt related:
I think this definitely qualifies as a feature, but because of the security implications I am marking it major. Also it probably should not go in REST module directly, but that seems the closest component for the time being.
PASSED: [[SimpleTest]]: [MySQL] 56,424 pass(es). View
PASSED: [[SimpleTest]]: [MySQL] 56,252 pass(es). View
PASSED: [[SimpleTest]]: [MySQL] 58,018 pass(es). View
PASSED: [[SimpleTest]]: [MySQL] 57,966 pass(es). View