We were just awarded a maintenance contract for a local bank's public website and intranet. both were created by a local advertising and marketing firm who "specializes" in the web. during our typical security review we found this (amongst a shit load of other problems)
<?php
if($_SESSION['loggedin'] != 'yes') {
?>
<script type="text/javascript">
alert('You have either linked to this page directly or your session has expired. Please login to continue');
window.location = 'http://foo.com/bar/login.php'
</script>
<?php
}
?>
This was the authentication check for the content management for the website. Insane! I've never seen something like this especially when the developer is getting paid real money to build it. Needless to say, the VP we deal with was scary pissed when we reported all of the security holes we found in both sites.