Hi! It's about things like this:
XOOPS/XCL contains a session token in the query parameters that refer precisely to pages with content that can only be accessed with user Login. The existence of these URLs can be exposed through log files or leaked via the Referer header. Moreover, it is more duplicated content for search engines, resulting in unnecessary consumption of bandwidth and lowering the positions in search engines. I'm not a PHP developer but... Xoops_redirect can be substituted for cookies or hidden input fields???
Please, try to search this with Google: