Basically the risk is a in any case a man in the middle or a masquerading problem whether between two servers or between the client and the server. That is a system that sits between the client and server or between the two servers can monitor the traffic or modify it and in doing so could compromise the security/privacy of messages on that channel. Basically ID information shouldn’t be sent across the wire rather sessions can be used to maintain the connection and validation of security priveleges and the like should be localized to happening on a server or within a closed network). The answer to this question all depends on the data your passing around but the end result is basically the same if you need it to be secure be sure you’re using HTTPS so the communication is encrypted and can’t be decoded with-out the key (assuming a valid implementation of HTTPS with a good certificate) and beyond this doing whatever you can to minimize the amount of “confidential” or important data being sent across the wire.

Also it doesn’t really matter if you use the URL as in GET method of HTTP Requests or you use the POST method both can be easily generated by programs like SOAP or hackers could write their own client to send the “appropriate” requests.