Why id & sessionid in URL? [closed]

Question

It's difficult to tell what is being asked here. This question is ambiguous, vague, incomplete, overly broad, or rhetorical and cannot be reasonably answered in its current form. For help clarifying this question so that it can be reopened, visit the help center.

Closed 8 years ago.

I see some URLs like this:

http://www.example.com/?view=profile&id=098&hash=589e8bed895198495d987d055699d2b9

Why some sites add ID and hashed password to URL? Is it the session ID? Is there any advantage with using URL like that for user profiles?

Answer 1

The intent is likely to prevent you from quickly stepping through pages with a predictable URL pattern.

If their profile URLs were just like: http://www.siteadress.com/?view=profile&id=098

you could go to http://www.siteadress.com/?view=profile&id=099, http://www.siteadress.com/?view=profile&id=100, etc. and expect to find content there. If the profiles include, say, e-mail addresses, it'd be a great find for a spambot to crawl through.

Answer 2

There is nothing wrong with this. The data has to get sent somehow... the site programmers chose this particular method.

It isn't pretty... that's about it.

You should also note that you can set your PHP session ID this way, depending on configuration.