penders - 4:08 pm on Sep 13, 2011 (gmt 0)
Good enough for me or good enough for you? :)
If you are controlling what they can access based on their login then I wouldn't have thought it mattered if IDs were blatant in the URL, providing they don't give away anything personal.
However, if a logged in user can still access information they shouldn't by manipulating the URL then you would need to do something about it IMO.