Embed session-bound URL token in stateful URLs (with cookie still required)

[hugithordarson]

Stateful URLs (component actions, and in the future push subscriptions, deferred fragments, TaskSession URLs) currently rely entirely on the session cookie for resolution. The contextID is unique within a session, not globally, so a URL like /wo/3.5.7.2.1.0 is ambiguous without the cookie — and silently means something different (or nothing) when the cookie is missing or belongs to another session.

This conflates two distinct kinds of URL:

• Direct-action URLs are resource URLs (/wa/CustomerPage?id=42 means the same thing in any session). Cookie-only is correct.
• Component-action URLs identify "the action at element X of context Y of session Z." The session is part of the identifier, not ambient context.

Proposal

Embed a short, opaque, session-bound URL token in stateful URL paths, while keeping the real session ID in the cookie:

/wa/CustomerPage?id=42         ← direct action, cookie only
/ws/Xk9mP2/3.5.7.2.1.0         ← stateful: token in path, cookie required

Every stateful request resolves both the URL token and the cookie to a session reference and rejects mismatches.

Properties

• Token is opaque (random/UUID/signed blob), short (~8-16 chars base64), session-scoped, lifecycle-bound to the session, verified on every request.
• Real session ID never appears in URLs, history, referrer headers, or logs.
• Stateful URLs leaked via history/referrer/sharing are intrinsically harmless — useless without the originator's cookie.
• Failure modes become explicit rather than silent (stale tab after logout, copy-pasted URL, expired session) — token mismatch produces a confident rejection rather than fuzzy lookup.

Notes

• Composes with TaskSession (planned): tasks can carry their own token, scoped to the session that owns them.
• See docs/render-redesign.md for broader design context.