I'm trying to implement security on an application I'm currently designing.

Essentially user's are going to log have certain functionality available in certian locations.


User can query invoices, and create orders for location 1.
The same user can query invoices, and process payments for location 2.

I'm wondering if there are any hacking techniques out there that would allow the user to the some how change the a session object/request that would the user logged in working in location 2 to somehow process a payment for location 1.

I hope my question is clear enough.

Thank you.