|
|
|
|
|
|
by alexjplant
1860 days ago
|
|
|
I also seem to recall PHP doing this in the form of PHPSESSID in the query string. It's a bad idea no matter who's doing it though. It enables accidental session-jacking (unless you turn on annoying countermeasures like invalidating sessions when IPs change and so forth), reduces cacheability, and a whole bunch of other things that come with leaking a secret in the URL. I don't think JWTs are a panacea but they beat the heck out of 2003-era session management. |
|
|