I also seem to recall PHP doing this in the form of PHPSESSID in the query string.
It's a bad idea no matter who's doing it though. It enables accidental session-jacking (unless you turn on annoying countermeasures like invalidating sessions when IPs change and so forth), reduces cacheability, and a whole bunch of other things that come with leaking a secret in the URL. I don't think JWTs are a panacea but they beat the heck out of 2003-era session management.
Yeah, I got this comment elsewhere too. I decided to not edit, because I think current standards at least strongly discourage session id's in urls, and this functionality is basically obsolete.
Sessions requiring cookies felt like a reasonable approximation, and I've already had to hedge so many other statements =)
You can also just use Basic auth and get an Authentication header sent with every request. You know, what auth systems should have been using all along.
It's a bad idea no matter who's doing it though. It enables accidental session-jacking (unless you turn on annoying countermeasures like invalidating sessions when IPs change and so forth), reduces cacheability, and a whole bunch of other things that come with leaking a secret in the URL. I don't think JWTs are a panacea but they beat the heck out of 2003-era session management.