Session ID is used as a parameter for the revoke session endpoint but it
should never be included in the HTML as an attacker could obtain it via
XSS.