When I see these extremely long URLs I know, of course, that someone is being clueless and sloppy and I know, of course, that whatever they are embedding could be hashed or compressed to 64 (or fewer) characters ...
But you are saying that what I am witnessing is the entire state of the transaction is being passed in the URL ?
I guess I thought that they were passing multiple third party tracking strings all in the same URL and that different parts of the string were actually for different consumers of that data ...
It's not clueless or sloppy. They are most likely using https://en.wikipedia.org/wiki/JSON_Web_Token which is a well-defined standard and extremely common in the authentication world because it makes a ton of sense. It lets your authentication server be mostly stateless instead of storing tons of sessions unnecessarily.
Oh, so that is what is happening ?
When I see these extremely long URLs I know, of course, that someone is being clueless and sloppy and I know, of course, that whatever they are embedding could be hashed or compressed to 64 (or fewer) characters ...
But you are saying that what I am witnessing is the entire state of the transaction is being passed in the URL ?
I guess I thought that they were passing multiple third party tracking strings all in the same URL and that different parts of the string were actually for different consumers of that data ...