Translations:Manual:SessionManager and AuthManager/64/en

Any user's ID or name is publicly available, so without the token we can't know that this isn't a spoofing attempt.