Folks, I've been reading this article (https://supertokens.io/blog/all-you-need-to-know-about-user-session-security) and then performing some security tests on mobile app APIs. I noticed that many APIs clearly define an access token and include it in the header. However, others APIs define something like JSESSIONID, EG_SESSION_ID, etc.