Generally speaking, no confidential information should be provided as
GET parameters. This includes session info and passwords. People
have a tendency to copy and paste URLs and expect that they'll work
for everyone. If the user clicks a link to another page, the
confidential information will be provided in the Referer header. It
also screws with search engines, and so on.
Tricking someone into logging in as an account you have control over
has ridiculously many security issues. Just stick some malicious
JavaScript in your user JS, for instance, and you can possibly steal
*their* account passwords, cookies, or other sensitive info, because
you're running the JS from
en.wikipedia.org.
Of course theoretically some of this might not apply to bots, but why
do bots mind staying logged in through cookies, or at least POST
parameters?