laserlight;11046927 wrote:While handy, it is also a security risk, e.g., it makes it easier for an attacker to try session fixation by passing a link to an unsuspecting user who then uses the session without realising that the attacker also has access to the session.
I believe what laserlight refers to is called "session fixation."
OWASP has a handy cheat sheet for dealing with sessions which looks pretty informative.
Another issue with putting the session id in the url is that users might copy and email this url to others (or paste it in a text message or IM client or something), not realizing that giving another user the session id will also grant them access to one's account.
You can usually mitigate this risk by having your code make sure that IP addresses do not change for a session (and possibly user agents, etc.), but this has its own inconveniences.
