There is no problem at all with putting the
P_ID in the URL. All you will need to do is check to make sure that that user has access to that entry before allowing them to edit/view it.
Just do a SQL query to check for that.
As a side note, as mentioned in my comments, I do not agree with putting the
P_ID in with the rest of the session information. The
P_ID has to do with a single request, not the entire session.