I learned it by EH and advice from experienced penetration testers. people compromise proxies and search the logs for qstring vars sent from forms. Some proxies log the data, even over ssl. When they get compromised an attacker will tail the log and look for session ids, credit card numbers etc. While the chances of useful info being pulled about _your_ site is pretty small from any given proxy, if one of your user's proxy servers gets hit, your user will be comprimised if the attacker is interested in their account.

Sending anything on query string that could be considered private, or is a session id is very dangerous with or without SSL. Apply that to whatever you do. Anyone can hijack a session once they have a valid id. It's not the ssl communication they are breaking, it's the proxy.

For session IDs use an https secured cookie. It's pretty easy to secure against this type of threat. The https cookie values and POST variables don't get logged.

Here's some good stuff.

This is a set of web application security guidelines. While not complete, it's a great start. At the bottom of the page are other great links.
-r