This may indicate that the application suffers from a “Session Fixation” vulnerability.
This issue allows an attacker to set (fix) another user’s session identifier. “Session Fixation” facilitates more advanced attacks, such as session hijacking.
The application should not pass session IDs trough GET or POST parameters. It is also recommended to ensure that session information is revoked and session IDs re-issued upon sensitive operations such as login, logout, password change, etc.