The splitting/poisoning attack works only(?) because the first form gets redirected,
which moves the params up into the header.

But wait, that also happens when you log on to RU Wireless, and the CleanAccess page intercepts your first request, *then* forwards you to page you were asking for.
Would that trigger the same thing?  
  (Maybe, if CleanAccess didn't maintain sessions to remember that info.)

And of course, we could always forge a (brand new) packet to the server tht *looks* like it came from a redirect, w/ all the info up in the header.  ???