FDSE uses a session-based login system. Login tokens are stored in a session cookie, if the browser supports this. Otherwise, the login token is stored in the query string.
Tokens stored in the query string are much more vulnerable to "session hijack" attacks, because the token is present and stored in all admin URL strings. These URL strings, in turn, are stored in proxies, in server logs, in the browser history, and so on. URL-based tokens may also be sent to other sites in the referring URL. Cookies, on the other hand, are kept much more private.
FDSE administrators are strongly encouraged to enable session cookies, at least within the browser and web site running FDSE.