403: using (_gitlab_session, API, POST) to create branch return 403

Hmmm… I remember before I can use session-based(here using _gitlab_session) request to create new branch?
But now It doesn’t work.(But PRIVATE_TOKEN is ok)

Could I have any method to solve this by using session-based request?

eg:
POST: http://localhost:32769/api/v4/projects/:projID/repository/branches?branch=newbranch&ref=master