In some cases people appear to perform rather weird requests which have the
session ID (TMID request parameter) set to a URL. This is absolutely useless
and simply cannot happen by itself. Therefore, the session ID filter has now
been upgraded to more thoroughly ensure that this kind of session ID gets
filtered out.
Reported as SF#1943724.