These days, in my opinion, sessions are done better and more securely with cookies; a cookie, for example, can be set to require a secure transmission vector (usually SSL in an HTTPS request), and aren't bookmarked as part of a URL. Yes it is more difficult to see what cookies are stored in your browser than in a URL, but most browsers will allow you to view and/or clear cookies easily enough. In addition, cookies can be set to expire automatically a set time on the client so they're only valid for a specified period of time, which can be completely separate from the server side. For instance, you could create a session that would live for 5 hours, and regularly change the session ID (say every fifth request if you like); the session cookie would get updated each time, but the overall session would live only for that 5 hour window. While the same could be done with a session ID in a URL, that session ID could still end up in a bookmark; in the very unlikely event of the session ID being reused, that bookmark could represent an inadvertent attack vector.
In addition, cookies are passed with both GET and POST requests; not every page has to be a POST request to use cookies to pass session IDs, and as I explained already, a session ID in a URL can be bookmarked. GET and POST have two different purposes, and I think everyone designing web pages could stand to read through the HTTP RFC . Logins should be done exclusively with POST in my opinion, and normal data retrieval once logged in should be done with GET. There's no reason that any search engine should ever be given a session, let alone a session ID; if a search engine needs access to otherwise secured information, there are options to accomplish that, but I can't see the logic in locking up data then making it publicly available in a search engine.
