Unfortunately, this probably exists to support Flash file uploads, which can't pass cookies due to an ancient, still unfixed API bug.

Yehuda Katz
Architect | Strobe
(ph) 718.877.1325

On Sun, Oct 3, 2010 at 10:03 AM, James Tucker <jftucker@gmail.com> wrote:

There's an option in the sessions infrastructure to support sessions via params. It's untested anywhere except in the memcache session specs. I'd like to remove it as it's nothing but an optional security hole. I can't imagine anyone using this for anything sane, but I'm checking here in case I'm wrong.