I noticed after opening Tor a day later that I was still signed into Alphabay. This means the exit node owner could scrape the php session id, allowing them to control the account. An easy solution is to logout. Though, I question the sites security in general.
You do realize that AlphaBay is a hidden service and that exit nodes have nothing to do with them, right?