Creating an access token for a session and putting it as a query parameter named access_token in the URL of the session will give access to the session to anyone who has the URL.

This would load a session with Id equal to 5832ce33c93f8e1d665f15e6 even if you don't have access to it.