Sessions in the url aren't a direct vulnerability, but they aren't a best practice also. As example, there is a library site which offers books to be readable on the web. They are also "saving" their sessions in the URL, now somebody wants to give somebody other a link to a specific page. Now the other somebody nows the session of the user. This could be used in the combination which Social Engineering to access information/overtake user accounts.
Sessions in the url aren't a direct vulnerability, but they aren't a best practice also. As example, there is a library site which offers books to be readable on the web. They are also "saving" their sessions in the URL, now somebody wants to give somebody other a link to a specific page. Now the other somebody nows the session of the user. This could be used in the combination which Social Engineering to access information/overtake user accounts.
Related: