diff --git a/homeassistant/components/http.py b/homeassistant/components/http.py
index 4ab0bfee351..2b260b0e841 100644
--- a/homeassistant/components/http.py
+++ b/homeassistant/components/http.py
@@ -202,17 +202,12 @@ class RequestHandler(SimpleHTTPRequestHandler):
                     "Error parsing JSON", HTTP_UNPROCESSABLE_ENTITY)
                 return
 
-        if self.server.api_password is None:
-            self.authenticated = True
-        elif HTTP_HEADER_HA_AUTH in self.headers:
-            api_password = self.headers.get(HTTP_HEADER_HA_AUTH)
-
-            if not api_password and DATA_API_PASSWORD in data:
-                api_password = data[DATA_API_PASSWORD]
-
-            self.authenticated = api_password == self.server.api_password
-        else:
-            self.authenticated = self.verify_session()
+        self.authenticated = (self.server.api_password is None
+                              or self.headers.get(HTTP_HEADER_HA_AUTH) ==
+                              self.server.api_password
+                              or data.get(DATA_API_PASSWORD) ==
+                              self.server.api_password
+                              or self.verify_session())
 
         if '_METHOD' in data:
             method = data.pop('_METHOD')
diff --git a/tests/components/test_api.py b/tests/components/test_api.py
index 56694289303..ab76ed0e3db 100644
--- a/tests/components/test_api.py
+++ b/tests/components/test_api.py
@@ -66,18 +66,31 @@ class TestAPI(unittest.TestCase):
 
     # TODO move back to http component and test with use_auth.
     def test_access_denied_without_password(self):
-        req = requests.get(
-            _url(const.URL_API_STATES_ENTITY.format("test")))
+        req = requests.get(_url(const.URL_API))
 
         self.assertEqual(401, req.status_code)
 
     def test_access_denied_with_wrong_password(self):
         req = requests.get(
-            _url(const.URL_API_STATES_ENTITY.format("test")),
+            _url(const.URL_API),
             headers={const.HTTP_HEADER_HA_AUTH: 'wrongpassword'})
 
         self.assertEqual(401, req.status_code)
 
+    def test_access_with_password_in_url(self):
+        req = requests.get(
+            "{}?api_password={}".format(_url(const.URL_API), API_PASSWORD))
+
+        self.assertEqual(200, req.status_code)
+
+    def test_access_via_session(self):
+        session = requests.Session()
+        req = session.get(_url(const.URL_API), headers=HA_HEADERS)
+        self.assertEqual(200, req.status_code)
+
+        req = session.get(_url(const.URL_API))
+        self.assertEqual(200, req.status_code)
+
     def test_api_list_state_entities(self):
         """ Test if the debug interface allows us to list state entities. """
         req = requests.get(_url(const.URL_API_STATES),