URLs do not contain only parameters whose meanings are easy to understand.
Some, such as utm_source and gclid, make it easy to infer a tracking purpose. Others, such as id, token, cid, source, ref, and session, are hard to judge just by looking at them.
When you see an unknown parameter, it is dangerous both to think "I do not know it, so I can remove it" and to think "I do not know it, so I can leave it as-is."
For anonymity, the important thing is to separate whether that value is needed to display the page or whether it is used to identify the user or route.
This article organizes how to read and judge unknown URL parameters.
What are unknown parameters?
Unknown parameters are values in a URL whose purpose is hard to judge from the name alone.
For example, strings like this:
sample.test/page?id=123&cid=abc&token=xyz
Here, sample.test is a string used for explanation.
id=123 may be an article ID. It may be a product ID. It may be a per-user ID.
cid=abc may be a campaign ID. It may be a customer ID.
token=xyz may be a temporary access right or a value close to a session.
You cannot decide from the name alone.
That is why unknown parameters should be treated as something whose meaning you infer, whose behavior you check, and, if necessary, whose URL you do not share.
Think by classification
Unknown parameters become easier to judge when you divide them into several types.
Type
Example
Handling
Value needed for display
id, page, q, category
Removing it may change the content
Tracking-like value
cid, campaign, source, ref
May be unnecessary for sharing
Individual-identification-like value
uid, user, visitor, client
Becomes a clue close to the user or device
Authentication or temporary-link-like value
token, session, sid, key
Prioritize not sharing publicly
Unclear long value
Random alphanumeric string
Handle carefully because it may be individually issued
This classification is not a complete judgment.
However, it is safer than pasting without thinking.
In particular, handle values such as token, session, sid, and key carefully. They may be URLs related to login state or temporary access, rather than sharing URLs.
Check whether it can be removed
For unknown parameters, actually remove them and check.
However, if you check only in your usual logged-in browser, you may judge incorrectly.
Order
What to check
Reason
1
Look at the parameter name
Infer whether it is closer to tracking, display, or authentication
2
Remove them one by one
Separate which values are needed to display the page
3
Open it in another browser
Reduce the effect of cookies and login state
4
Open it while logged out
Check whether it is a URL visible to others too
5
If an unknown long value remains, do not share
Avoid the possibility of an individual link
If you remove everything at once, you no longer know which value was needed.
Removing values one by one makes it easier to separate values needed for display from values that are not needed.
Situations where unknown values become dangerous
Unknown parameters become a problem not only when the value itself is readable personal information.
Even alphanumeric strings that look random may be linked inside the service to a specific user, delivery, invitation, click, or session.
Situation
What happens
Individual email link
A value indicating who the email was sent to may be attached
Invitation link
The inviter or invitee may be recorded
Limited-access link
Only people who know the URL can view it
Purchase or application completion page
Information close to the order or application may remain in the URL
Admin screen or preview
A screen not intended for publication may be shared
If you share this kind of URL from an anonymous account, correlation is created on the URL side even if you hide the network.
s and do not remove identifiers embedded in URLs.
Signs that you should not share
Some unknown parameters should make you avoid sharing before you even try removing them.
In the following cases, rather than forcing the URL into shape and sharing it, you should look for a separate URL from the public page or official share button.
Sign
Reason
Contains token, session, or sid
May be close to temporary state or authentication
URL is extremely long
May contain a lot of individual state or tracking information
Only opens while logged in
May be a personal page not visible to others
Has words indicating admin, edit, or preview
May not be a public URL
Content changes greatly when a value is removed
The value is strongly related to page content
For anonymity, it is important not to treat what you do not understand as safe.
"I do not really understand it, but it is probably fine" is a dangerous judgment.
Common misunderstandings
There are common misunderstandings about unknown parameters.
The first is the misunderstanding that "a random alphanumeric value has no meaning."
In reality, the more random a value looks, the more it may be used internally as an individual identifier.
Next is the misunderstanding that "there is no problem if my name is not included."
For anonymity, names are not the only problem. Individually issued links, email delivery IDs, invitation IDs, and session IDs connect with service-side logs.
Finally, there is the misunderstanding that "shortening the URL makes it safe."
A shortened URL only makes the appearance shorter. If unknown parameters remain at the expanded destination, the problem has not disappeared.
Practical judgment
When you see an unknown parameter, judge as follows.
Check whether the value seems necessary for display
Treat tracking-, referral-, or campaign-like values as removal candidates
Prioritize not sharing values such as token, session, sid, and key
After removing a value, reopen the URL in another browser
If unknown values remain, look for an official sharing URL
This judgment may look tedious.
However, a URL shared anonymously is part of the post body.
If you reread the body text, you also need to reread the URL.
Summary
Unknown URL parameters are values in a URL whose purpose is hard to judge from the name alone.
Values such as id, cid, ref, token, and session need to be checked for whether they relate to page display, tracking, individual identification, or authentication.
Do not immediately decide that unknown values can be removed or can be left as-is.
Remove them one by one, check in another browser or while logged out, and reduce values unnecessary for sharing.
Especially when values such as token, session, sid, or key exist, prioritize not sharing.
Small values left inside a URL may connect with service-side logs or access times.
For anonymity, it is important not to leave unknown values unchecked.
Related articles
URL tracking
Unknown URL Parameters
Unknown URL parameters may be needed for display, tracking, individual identification, or authentication, so check them one by one before sharing.