session identifier can get into URL, when link is clicked before page completely loaded
I opened http://www.webtoolkit.eu/wt/ and clicked "Blog" link as soon as possible. Address in address bar was changed to http://www.webtoolkit.eu/wt/blog?wtd=2bekcaGD1Ay9GKw2n0WCk0RMFI9EXu4I. In this case any external resource (i.e., image) can steal session identifier.
Browser version 24.0.1312.70.