Session token should be transferred either via cookie or HTTP POST, never thru HTTP GET.
With HTTP GET the session tokens leak to server logs, to other sites via HTTP-referer header, proxies, browser cache, browser url history, links posted by the user etc. This is especially grave if the session is related to financial dealings such as ordering product using some pre-existing account.
http://en.wikipedia.org/wiki/Session_hijackinghttp://en.wikipedia.org/wiki/Session_fixation
