/api/session returns 404 instead of 401 when session expired
I disagree. Session expired, so it doesn't exist. It's not an authorization issue.
that would be correct if the url was:
/api/session/<id>
or
/api/session?id=<id>
but because the url is /api/session, then 404 means that this url doesn't exist. That is not the case.
When I query /api/session with an expired session cookie I get:
"GET /api/session HTTP/1.1" 404
but IMHO the correct response would be 401.