It's clear -- but I wouldn't normally want to pass control of the user's session to another server.

You're right, in that you do not want to do this with GET. In fact, you should never send anything sensitive in the URI, and should never use GET for something that might have side-effects. Modifications should be reserved for POST (or PUT or DELETE, but most servers don't implement it)

Redirection in general is a tricky thing when you're trying to force someone to post. The HTTP spec specifically warns browser authors about how they're supposed to handle redirection.

From what you're describing, I would probably have the user first go to a page for them to look over what it is that they're ordering, and on that page, populate a number of hidden fields, and have then click a subtly-disguised submit button that sends them to the alternate server in question.

I still don't like giving them control, though. Perhaps set a TARGET on the form submit, so it comes up in another window, or something.