Comment 14 for bug 1197459

@sdague, It is a well-accepted security statement that you should never pass secrets in query parameters. Maybe how to fix it is opinion, but not that there is a problem here.

You don't have to have a MitM or XSS to exploit this. Query parameters are stored in browser history, so launching a session from a shared computer also leads to exposure. Access to a web cache also equals exposure. Etc.