preferred solution depends on where/why you make use of the trust_credentials_attribute.implement an custom loginmodule wherein it override isPreAuthenticated method also & deploy as OSGi fragment.

Verify template & page component. Looks like error is supressed.

There is variable cq_ctrlport in the instsrv.bat file. You need to modify it for one of the instance.Modifed the cq_ctrlport to different portuninstalled the serviceran instsrv.bat.

browser-reports Http Referer header with the domains/urls submitted for your particular setup.   Payment Gateways should pass it back to next integration layer.  Check your payment configuration to pass it.    Dispatcher just acts as proxy & does not add anything.  If required you can fake using rew...

At CQ you need to custom implement for specific url.   In general AEM relies on web application/server firewall to protect.For your usecase use referrer header-based solution which can either be achieved using mod_rewrite [1] or something more elaborate like mod_security [2] on the webserver tier.[1...

Issue (CQ5-11022) has been filled.

AFAIK oob no option to have dynamic participant steps to have delegation. Please file daycare with your business case.

http://helpx.adobe.com/experience-manager/kb/invalidpollingconfiguration.html

Please file daycare & looks like a bug. 

Your cookie & config looks right to me. Please try [1] & also file daycare ticket.[1]  *   At start of dispatcher did you see message "Sticky Connections enabled"*   Just as a trial can you rename the renderid with underscore & see if it works. Just suspecting is the parser considering underscore to...