If I visit service.com/fdoit?session=hashBase64 then I am connected to the service to f do it, but if I visit service.com I need to connect again (with a form on a 2nd page) and waste time. I know I should use bookmarks (for when the hashBase64 doesn't change) but why do we have this common behavior in 2025 ?
Its not best practice to store session details in URL, this can be compromised easily. Maybe try this, take the same URL with session id and launch it in incognito. If it still works, that means the service.com has a lot of security gaps to fill in. Otherwise, they might be storing it in cookies if its not accessible.
If anyone can access a session based on ID in a URL, that sounds like a security vulnerability waiting to happen. There are good reasons that we decided those things should go in cookies a long time ago.