REQ.032 Avoid session ID leakages
The system must not expose session IDs in URLs and messages presented to the user.
OWASP-ASVS v3.1-3.6. Test that the session ID is never disclosed in URLs, error messages, or logs. This includes verifying that the application does not support URL rewriting of session cookies.