Use a crypto-quality PRNG (/dev/urandom is fine) and you should be fine, especially since the time it takes to brute-force URL parameters is very high (network latency). Just about anything is better than sequential numbers here.