Hide transmitting session ID from URL

Is there a way to avoid session ID/token getting transmitted via URL and change it to transmit via a cookie instead? This happens when the export table feature is selected which provides a URL containing session token. I want to avoid seeing the session token in the URL but instead use cookies for the same purpose.


It is an ongoing work to make sure the Matomo token_auth is never sent as an URL parameter, but only via POST:

Hi Lukas,

Not sure if that answers my question. The issue I am facing is that when I try to export the “visits over time” data to an excel file, I am provided an URL which contains the exported excel data. However, the URL also consists of session ID which I want to avoid and instead use a method to transmit the session ID using cookies. A recent Pentest result found this issue where the session ID in the URL can be copied and could potentially pose a threat.