We have removed the session id from the ACP urls, meaning that you have to make sure to use CSRF protections in all your methods which change a state!
We also advice to use \IPS\Request::i()->confirmedDelete() in all your methods where you're deleting data!
One of the few examples from the MP reviews is this code:
protected function approve()
{
if ( !\IPS\Request::i()->id )
{
\IPS\Output::i()->error( 'node_error', '2myApp', 404, '' );
}
$a = \IPS\myApp\Item::load( \IPS\Request::i()->id );
$a->open = 1;
$a->save();
/* Log History */
\IPS\myApp\History::addEntry( 'foo', x, \IPS\Member::loggedIn()->name );
\IPS\Output::i()->redirect( \IPS\Http\Url::internal( '.' ));
}
Once an administrator with a valid ACP session calls the url, he would automatically approve the advert, meaning that any member could post an encoded URL (or use one of the other methods which I'm not going to mention here ) to lead the admin into the trap!
To prevent that this happens, you have to utilise the CSRF key and to check in your method if the key is valid, before anything else is done!