Revert r76077, r76079, they were an overreaction to a security bug that wasn't really...

Revert r76077, r76079, they were an overreaction to a security bug that wasn't really a security issue at all. The API will currently echo your session cookie back at you, but an attacker can only read that output using same-domain AJAX, and if they can do that they can do worse things (and steal the user's session in easier ways).