As if there weren't enough session handling mechanisms (session id's in each URL, cookies, http only cookies, JWT tokens in the request header), let me introduce you a novel one: having a service...
Bulletproof Sessions: Secure Session Handling Without Cookies
