Surely some of this is easily avoided
While tampering with session cookies is definitely an issue, although not an insurmountable one, the javascript injection is really avoidable. Memo to expedia: Cookie content is NOT trusted data.
Paris, 'cos even she's not as wide open as reports suggest.