I am working on an application in Oracle APEX (version 24.1) deployed via ORDS, and I am facing an issue related to session ID exposure in the URL.
The application URL contains a session parameter like:
https://abc.com:8443/ords/r/app/page?session=XXXXXXXXXXXX
As part of a security assessment, this has been flagged as:
Session Token leakage within URL query (High Risk)
Any guidance, best practices, or official recommendations would be very helpful.