Securing Cookie-Authenticated JSON APIs

APIs that make private data available require authentication.  JSON is the hot “new” API response format.  In the browser, authentication and JSON generate insecure APIs when combined naïvely.  Let’s figure out what can go wrong and try to find a better way of combining authentication and JSON in browser-accessible APIs.