NB: This is the sixth post in a series of posts on web application security. Don’t put session IDs in the URL. Django explicitly does not support this because it’s just dangerous. Use SSL and secure cookies. Use HttpOnly cookies. Is it really that easy? Yes and no.