On 25 May 2001, Chip Turner wrote:
> The problem you mention is real, but in "real world
> scenarios" it can typically be avoided. About the only
> thing you can't avoid is if the user wants to log in
> simultaneously as two different users. Most normal
> users don't want to do that, though :)
only if you have a one to one relationship between client
(browser) session and authenticated user. this is not
mandatory if, as you point out, urls or form fields are used
to transmit the user's id.
other than this scenario, which i've never chosen to
support, i've never met a piece of session-scoped data that
needed to be propagated back to the client besides the
client's session id.
