Hi, since 3.5 the oVirt REST API features CSRF protection mechanism via CSRFProtectionFilter, see [1] for details. [1] http://gerrit.ovirt.org/#/c/29681/ I'd like to ask what's the motivation behind calling the CSRF token header "JSESSIONID". I think the header name should reflect its logical purpose to avoid confusion. Could we rename this header to something more appropriate like "OVIRT-REST-CSRF-TOKEN" or similar? It would better reflect the purpose of this (CSRF protection) header. In future, we can still have another request header with name "JSESSIONID" for transmitting session ID from client to server, however this potential new header would have different purpose (transfer session ID vs. CSRF token). Each header should have name reflecting its purpose. (This is just a suggestion.) Thanks, Vojtech