I'm missing the value of username-suggesting at a login-form, but anyway;
I assume that you are requesting the data using a GET-request? If you would like to prevent anyone from accessing the URL directly and retrieving data, you could use a POST-request and then only return data when the page is accessed through a POST-request (optionally combined with the session-check). Please keep in mind that this is not a bullet-proof way of preventing use.