I am designing a REST API in Salesforce with sessionId as a required field in the request header for all calls after logging in. Is this even required in Salesforce ? I was forced to do it when I used a Java client to access the Salesforce data using the SFDC REST API to access the SFDC Objects from Java.
Can I assume that if a user has logged in using a VF page, then he has a valid session for making future Salesforce REST API calls and the REST API doesn't need a sessionID to be passed in ?
Can the client also pass a SOQL in with the /query/?q= call and get data from Objects over which he has no rights to see even if the REST class has with sharing rule and the Objects have the right permission for the Profile ?
Apex class methods that are exposed through the Apex REST API don't enforce object permissions and field-level security by default. We recommend that you make use of the appropriate object or field describe result methods to check the current user’s access level on the objects and fields that the Apex REST API method is accessing. See Schema.DescribeSObjectResult and Schema.DescribeFieldResult.
When trying to use the Chatter REST API to post a chatter @mention, I had to pass in the session Id in the request Header as :
You can get the SessionId of the logged in user as UserInfo.getSessionId()
I also had to add the URL as a Remote Site Setting for some strange reason, although it was a xx.salesforce.com URL
I would think the same would apply to your REST service.