Stuart Frew <[EMAIL PROTECTED]> writes:
> The user is using the system to process client A. The cookie contains
> stateful information including the client ID.
>
> They then open an new browser window, and lookup client B, recieving a
> new session ID with new state information, including the client ID.
>
> The user then submits the form to the server.
>
> The server then recives the one and only cookie with a session ID in it.
> But is it for Client A or Client B? 50-50 chance of updating the right
> row. Not good.
Session information should be used for the most minimal set of data
possible. Often times sessions get used where pnotes would be better,
or where hidden form variables would be better. The situation you
describe is unlikely and avoidable if you set out with the idea in
mind to not put anything in a session that absolutely doesn't need to
be there; use your database to store information if you need to and if
at all feasible.
The problem you mention is real, but in "real world scenarios" it can
typically be avoided. About the only thing you can't avoid is if the
user wants to log in simultaneously as two different users. Most
normal users don't want to do that, though :)
Chip
--
Chip Turner [EMAIL PROTECTED]
RHN Web Engineer
