Ok. Here is what I think is happening.
When you log on to Superstar it tries to set an session cookie. If it can’t set a cookie (because you are blocking them), then it puts the session data in the URL as query strings e.g.
With Cookies – http://superstar.tibolts.co.uk/account_history_info.php
becomes:
Without Cookies – http://superstar.tibolts.co.uk/account_history_info.php?order_id=xxxxxxx&osCsid=6x7x8x2xhxmxfxvx2xuxjx5xdx
The osCid is the important part (obviously scrambled in this example).
If someone then posts the second URL on the internet, and a logged in user who is allowing cookies then clicks on that link, they get the page, the server sets a cookie, and they become the user.
I think.
There should be some sort of page state management in their php code to stop this (I am not a developer, so this could be the wrong term).