Yes, Jpenny84, I have. As I noted, all stores on bigcommerce.com using their checkout/shopping cart have the same URLs. The part that's different is the *HOST*.
Just go to Bigcommerce.com and walk through their shopping cart apps to checkout. dorco.com is one, so are http://www.newyorkgourmetcoffee.com/
When you get to the payment portion to actually purchase something, you are handed off to a URL like store-<storeid>.mybigcommerce.com/cart.php or account.php.
Dorco's is: https://store-234ee.mybigcommerce.com/cart.php
Art4Now's is: https://store-cjysos.mybigcommerce.com/account.php
So the URL rules are useless - the URL is always "cart.php" or "account.php" for all of the stores. But each store's customer base (and therefore login and password) are entirely separate, since they are separate companies, after all.
How about instead of offering more alternatives that frankly, don't work, maybe explain what, exactly is the technical or security problem with matching on the user-provided hostname (and not just the top-level domain)? We're smarter than you give us credit for, you know.