This is not a very common issue, but in the past, there were a lot of applications adding session IDs in URLs. For example, look at the following screenshot:

Once you have detected the variable used to store the session ID, you can apply a filter to detect all the sessions in the URLs.

Look at the next screenshot. Here a token is detected by the scanner, and Burp Suite lists all the exposed tokens: