As I mentioned before, if you dissect what they do with cookies and when, you'll find they maintain two levels of session tracking, one for "non-sensitive" personalization uses and one for "sensitive" authentication uses. The URL session ID is likely only the former, and not exposing anything sensitive.
I haven't spent a lot time seeing what they do when I disable cookies, but I do know that if I copy an URL (which contains my session ID) and send it to a friend, when that friend clicks on it, Amazon redirects to a new URL with a different session ID. > From: Rob Nagler <[EMAIL PROTECTED]> > Organization: bivio Software Artisans, Inc. <http://www.bivio.net> > Date: Fri, 16 Nov 2001 15:22:02 -0700 > To: [EMAIL PROTECTED] > Subject: RE: Cookie authentication > >> If you happen to type in a URL, they can revive your >> session from the cookie. Pretty nifty trick. > > This would seem to be a security hole to me. URLs appear in the logs > of the server as well as any proxy servers along the way. If the URL > contains reusuable auth info, anybody accessing any of the logs could > gain access to customer accounts.