@Ben L. said:
For a typical web page, the browser will make multiple requests (one for the company logo, one for the background image, etc), none of which would contain the session ID in the URL. With each of those requests the browser will happily upload the cookies for the entire domain. That means all the cookies for the domain uploaded for each request to ANY content hosted on that domain. This quickly adds up to a lot more than having the ID in some of the URLs (which I never suggested in the first place).
Pardon my ignorance, but won't this "extended" URL replete with session id information be passed in the referer header anyway, whatever content type is requested (and indeed be passed even to OTHER domains you're getting content from, whether they are subdomains of your website, or the latest Facebook sharing widget) ?
As blakey said, you've just moved the problem from one place to another, you haven't actually changed your bandwidth consumption at all ! And for all intents and purposes, you are potentially broadcasting your session ID to other peoples websites also !
I'm not sure I'm willing to trade my session security for 20 bytes saved.Especially when you are probably not saving them anyway.