> You won't be able to distinguish device sessions from one another reliably neither. Think of "log out all other devices".
You could, I think. Passing the session ID in the URL is the same as storing it as a cookie. You can invalidate both in the server.
Link sharing is an issue, for sure. You could tie the session id to the IP, but that doesn't work when people share their IP, which is more and more common every day. IP tied session would work better with IPv6, though.
It also poses a security / opsec issue if anyone non-technical wants to send a link to a friend / co-worker. You may compromise yourself.
If people share their screen people would be able to hijack the session too.
You won't be able to distinguish device sessions from one another reliably neither. Think of "log out all other devices".
These are what I can think of. There's probably a handful more reasona NOT to do that.