It is an ongoing work to make sure the Matomo token_auth is never sent as an URL parameter, but only via POST:
Not sure if that answers my question. The issue I am facing is that when I try to export the “visits over time” data to an excel file, I am provided an URL which contains the exported excel data. However, the URL also consists of session ID which I want to avoid and instead use a method to transmit the session ID using cookies. A recent Pentest result found this issue where the session ID in the URL can be copied and could potentially pose a threat.