One should pass as little data in the URL as possible. URLs which contain identifying information or other user data are sometimes called "Magic URLs". With the right incantation, anyone can access the same session as you (or the intended user) can. There are system-level tricks that one can use to thwart this (e.g., checking for concurrent logins from sufficiently disparate IP addresses). These, however, do little to prevent unauthorised logins at times when the intended user is not logged in.
If one does not pass information in the URL, one is usually left to pass information in the background, using a predefined format. The problem here is that anyone who figures out the protocol, format, and server address can then emulate a session and attack the server.
Ideally, one should encrypt sensitive data before transmitting it, ensuring that the encryption algorithm is strong enough for the task. Python's crypto module is helpful to affect this when combined with strong random numbers.
Note that Python's random and whrandom modules are not sufficiently strong for cryptographic use. To get cryptographically strong random numbers on a Unix or Linux machine, you are best to read from /dev/urandom:
n = open('/dev/urandom')
data = n.read(128)
