Overcoming security via typing in the URL?

You are going to have to model parents as well as children, or require
they enter the username/password for each child separately. Then in
the before_filter of your actions you need to verify that the session
contains the username for the requested child. When they provide a
username and password store the username in the session. If they fail
to enter the correct username and password be sure to clear the
session values so they can not keep trying.