Re: Simple URL manipulation
"doesn't match the one you're logged in with"
That's the problem though - the end-user (airline customers) cannot be logged in, in this case. When you make a booking with, for example Air France, your booking and account is with them. You might have logged in to the Air France website ... but you don't have an "account" on Amadeus that would require you to login. Air France have passed the data to Amadeus, but this problem is when sending data the other way.
Where I've seen this is API's that require something basic to be passed (like an order or booking ID) and they return the data. They were intended to work in conjunction with the booking systems, e.g. Air France's website, but not be exposed to the public.
I posted before saying some will require certain information to be entered by the user to validate it, but it's not always the case that the application the API interfaces with will ask for that information, which is why it probably worked in this way to begin with. It's trivial to see HTTP requests in a browser, but I don't think the people who implement these systems assume people will do.
Biting the hand that feeds IT
