Purge those nasty JSESSIONID and PHPSESSID parameters from the URL bar. Now. Sensitive data in GET parameters are bad. Even over HTTPS.
Check out this session ID killer proxy built on nginx, that converts these sensitive query parameters into safe and secure cookies.