Robbe said:
They can be a security risk particularly if you allow posting
of links on your web site. If someone were to click one
of those links, that web site could retrieve the session id
from the HTTP_REFERER and use it to "take over"
an active session.
I have tested this myself and it is incredibly easy
to duplicate successfully.
I have read that Microsoft solutions are littered with security issues,
and maybe this is an example.
I do get a lot of complaints from my customers regarding my CPI link
(payment link to Barclaycard requiring Javascript at the EDPQ site),
and they complain it wont work due to firewalls.
The figure for me is about 10-20% of customers. I contacted Barclaycard
and I was told:"If you dont like it, write your own software - this is
the MPI service also offered."
I see a lot of websites making strong assumptions about client systems,
which are not valid in many cases. I find it incredible that large
companies will ignore so many Web visitors by coding for only certain
client systems.
I was trying to find a solution to handle all clients.