We have recently put one of our Moodle's (1.9.8) through penetration testing at the request of a client. Most of the issues are quickly solvable - a couple we may alert you to via the tracker once confirmed as issues in Moodle core and not our own code/configuration.
One point raised was the use of session keys in URLs. The worry being about these being obtained via proxy server caches and the like.
I've been told by one of the Moodle development team that it is not possible to switch this functionality off. Just wondering what the advice is to feed back to the client?
I guess my first take on this is to make sure the session time-out is set to 10 mins or so, so then the session key is only of value for a short period of time...
Any views or comments people want to share about this here?
Many thanks,
dan