Storing UI state in URL segments/parameters vs. cookies or session state

Question

Is anyone aware of documentation, RFCs, guides or research that can help move a discussion about URL design from opinion and emotion to research, documentation and facts?

Say we're building a traditional non-SPA HTML-based bank application where one can choose between accounts. The currently selected account is UI state. This selected account can be "stored" in (at least) these two ways:

1. In the URL like https://mybank.com/balance?accountID=23423498 or https://mybank.com/accounts/23423498/balance
2. Somewhere else, e.g. in a cookie or in session state, so that https://mybank.com/accounts/balance shows the balance of the currently selected account whatever it may be.

#1 Makes deep links and multiple tabs possible, while #2 yields cleaner/simpler URLs, especially if there are multiple such UI state "dimensions" and makes implementation simpler. In reality we have 1-3 such UI state dimensions at any given time.

It doesn't really matter what my personal opinion on the matter is, because I'm not looking for opinion. My problem is that neither side can back up our "opinion" with links to authoritative documentation, research or design guides that clarify when to use what.

Note: I'm not looking for technical details about how URLs, cookies or sessions work, where they're stored, etc. but about recommendations for when to put this information into URL and when not to.

Answer 1

I don't have any documentation or research for the opinion I am about to give, just my personal experience.

I would go for option #1.

Think of the end user, who is trying to bookmark the page with chosen account. With option #1, he will - next time he opens the page, be directly where he needs to be. Whereas with option #2 he will need to perform some input/selection to see the account again.

#2 makes sense, if the end user has only one account.

Nice links don't mean nice user experience.

As of security, it's best practice to always validate the user on each page request. So even if the end user shares the URL to someone, there should be an authentication process in between.