In webmail interface session identifier is passed to server as a part of GET requiest, thouse may be discovered by third party via Referer: field.
vulners.com/securityvulns/securityvulns:doc:4482