In the 90's and early 00's I used to see the session token in the URL of every request.
For example, instead of:
post_with_session_cookie("/auth/api/<et cetera>", ...)
$.post("/auth/<token>/api/<et cetera>", ...)
You can mitigate some of these problems by changing the token on every request, but now your security problem is only a (massive) usability problem.
None of this is the default for any major web framework, which is probably why this style of authentication completely disappeared in the mid 2000's when people stopped rolling their own backends from stratch.