it not so much from a security point of view, but from a functionality/usability point of view.
Eg say you open an edit product page and assign then product Id of the product you are editing to the session[edit_id] but before you save that, you open up an edit product page for another product in another tab (to Check something, eg stock level). Now when you go back to you other tab/window the session edit_id has been replaced with the last products I'd. If you hit save, you replace product b's details with product a. Now you have 2 product a's with different Id's.
If you was passing the product Id via post vars instead of the session, it wouldn't happen.
There are ways around this without passing everything via get/post parameters. A combination of session and post vars ensures good security/usability provided you check what is being sent via post matches what you are expecting compared wi the session.
I take the approach of using a unique form Id and storing all session vars relating to that form under that id and passing the form Id via post.