I assume that you're concerned about security of SSRS.
I'm not familiar with session,state,token.
However I find some official documentations for you.
Reporting Services uses role-based security to grant user access to a report server. On a new report server installation, only users who are members of the local Administrators group have permissions to report server content and operations.
To make the report server available to other users, you must create role assignments that map user or group accounts to a predefined role that specifies a collection of tasks.
Which means if you do not have the permission of the report, you can't see the resources in the report server.
Nor can you access other reports by modifying the parameter of the url.
There is also an extended protection for Authentication with Reporting Services.