Is the Cart controller for open shopping basket?
Assuming one client will ever only have one basket open at any time, you could just use user_id from session, and fetch any (well, one) open carts where user_id = session user_id, and there's no need to send cart IDs back and forth via URL.
Alternatively, if carts do have IDs, you can also use session user_id with query without putting it on URL:
SELECT * FROM cart WHERE id = ID from URL AND user_id = user_id from session.
Having user_id on URL and then in session I don't think adds much to security, it's kind of checking one thing to itself?