Yeah, cookie-based auth seems suuuper convenient, especially when you build a project that's something like a CMS based on a REST API and you don't want to send auth headers back and forth all the time.<p>But remember: as soon as you use cookies (or anything else the browser sends by itself automatically), you need to make sure that you know that <i>your user</i> initiated the request, or else you get XSRF issues.<p>And combined with JSONP, this is basically game-over. However, when the cookie-based auth is removed, I see no problems with JSONP (for the server; the one using the JSONP has to have trust in the server to not set malicious code).
Basic CSRF. If you don't know what CSRF is and how to protect against it, any website you make is <i>probably</i> going to be insecure. If you call yourself a web developer and don't know about CSRF, please, go learn it. I don't think I'd hire a web developer who couldn't tell me what CSRF is and how to prevent it. Even if your framework takes care of it for you, you still need to know what it is.
This isn't great, but I do want to speak on behalf of Put.io. It really is an incredible service and I've always had great response time from them on customer service issues. I highly encourage anyone who isn't using it to give it a look.