What is a good solution for the situation where someone logs in to your
site in their same browser as a second user (say in a new tab) without
logging out the first user? When they go back to the first tab, they
expect to be browsing as the first user, but because the user
authentication is valid for the whole browser, they are really browsing
as the second user. There is potential here for confusion and possible
security issues.
You can tell people that if you want to use two accounts simultaneously
you should open a new browser. Or, you can append every URL with a
session ID and make sure it matches the session ID of the authenticated
user.
Any other suggestions?
thanks,
jeff