- ...?id=mylogin
attacker knows other users login or guesses it and can easily impersonate as that user.
- ...?id=myloginecrypted
attacker knows other users login and can deduce the encoding/encrpytion sceme (e.g. by deriving from his own login->loginencrypted; i.e. "plain text attack"). One more hurdle compared to (1), but not really that harder.
- ...?id=randomtokenmatchedbyservertouser
Here there is no encryption to guess. Attacker actually has to get hold of the token for the user he wants to impersonate (Which works for (2) too, of course)
Seems you want to avoid (1) by choosing (2), which is not really an improvement IMHO. The alternative (3), proposed by others in this thread, is far "safer" with respect to your goal.