thanks Erik for quick reply!! I think so, but our security team who sent me results has another opinion. They suggested to replace GET requests with POST.. it's a huge effort cause all data across the forum is sent via GET requests. I think it useless activity.
They are free to file a report in our security tracker so that a member of our security team can review it.
However, simply correct your cookie settings. phpBB only uses the SID parameter if it can't write a cookie.
Erik, sid appears in URL parameters in first two requests. When the sid's value in cookies are equal with sid's value in URL, the last one disappears from URL parameters. Is it correct behavior of the system?
Yes, the first request always contains the SID as at that point phpBB can't know whether it can set a cookie. So if you land on the forum, phpBB will write the cookie and set the SID to assure that the session ID is passed to the next request, then on the following page load phpBB know whether or not it has a cookie with the session data and based upon that it will determine whether to pass the SID through the URL or use the cookie.
Unfortunately it is something that must be done as phpBB can only read the cookie on the next request so on the first one it writes the cookie but doesn't know whether that was successful.