Quote Originally Posted by susiej View Post
Problem solved for Sandra, but not the other customer ...

One web site user should never be able to access another user's session or account information. What if Sandra hadn't been prompted for a credit card, and had accidentally charged the other customer's card? That's a nightmare for her to prove she didn't mean to commit fraud. What if someone less honest had gotten the other customer's session, someone who thought, hey, great, free money and maxed out the credit card with an order? Nashbar's web site is responsible for making sure the session is from the right user.

That isn't to say that everyone's advice is wrong; the advice is very good and should protect you from badly designed websites. I would also suggest not using those "remember me on this computer" feature so that automatically being logged on feels wrong. It's like biking defensively to avoid the crazy drivers.

Security exposures from bad design are just a pet peeve of mine -- especially when user error is blamed. I tend to get a bit ranty. And I won't be ordering on the web from Bike Nashbar.
better, don't share links from Bike Nashbar when you are logged in.

M