Generally speaking, no confidential information should be provided as GET parameters. This includes session info and passwords. People have a tendency to copy and paste URLs and expect that they'll work for everyone. If the user clicks a link to another page, the confidential information will be provided in the Referer header. It also screws with search engines, and so on.
Tricking someone into logging in as an account you have control over has ridiculously many security issues. Just stick some malicious JavaScript in your user JS, for instance, and you can possibly steal *their* account passwords, cookies, or other sensitive info, because you're running the JS from en.wikipedia.org.
Of course theoretically some of this might not apply to bots, but why do bots mind staying logged in through cookies, or at least POST parameters?