feature request: provide alternative means of returning a session id

currently, the WebAuth-GetSid service returns a session id as a uri query parameter. as the name suggests, this is meant to be used for query information, not for returning sensible information to another service.

although this is not inherently insecure, it is one kind of information exposure that increases the attack surface, see Information exposure through query strings in url.

as some apps may rely on this behavior, consider the following suggestion:

handle a query request parameter "method" and check it for the value "header"; return the session id in a http header if this is set and as a uri query parameter otherwise