Made few more changes including some cleaning up
1. Option to include relay-response url in form to be submitted to authorize.net
2. Option to provide custom relay response url (like your/secret/path instead of default cart/authorizenet_redirect/complete)
For first option to work, you must specify the relay response url in your authorize.net account settings on authorize.net website. With the 2 options above, you can operate in a more secure mode where user does not get to know the url for reporting transactions back.
Dis some clean up. No longer including the response from authorize.net back to user. Only order_id/cart_id/message is sent back to user.
With these changes, I now feel comfortable to use it in production site.