> consider URLs insecure, especially if for a web browser.
A web site I used recently puts your session ID in the URL. If you log in, then alter the URL to remove the session ID, you appear logged out.
It gets even worse. Clicking the "Log out" button on the page simply removes the session ID from the URL. If you go back and reload the web page with the session ID in it again, you still appear logged in.
The page also doesn't use HSTS so is easily vulnerable to SSLStrip.
> A web site I used recently puts your session ID in the URL. If you log in, then alter the URL to remove the session ID, you appear logged out.
Nothing inherently wrong with that, but it depends on the situation.
> Clicking the "Log out" button on the page simply removes the session ID from the URL. If you go back and reload the web page with the session ID in it again, you still appear logged in.
This is common in servlet-container-land (Java) for handling browsers that don't support cookies. The URLs are rewritten to include the session-identifier (usually a cookie) as a request parameter instead.
There's no other mechanism to associate an HTTP request with back-end state (logged-in/out, etc.) except for session identifiers transmitted by the client browser (through cookies, headers, request parameters).
A web site I used recently puts your session ID in the URL. If you log in, then alter the URL to remove the session ID, you appear logged out.
It gets even worse. Clicking the "Log out" button on the page simply removes the session ID from the URL. If you go back and reload the web page with the session ID in it again, you still appear logged in.
The page also doesn't use HSTS so is easily vulnerable to SSLStrip.