need help with sessions

Hi,

I have been using the modified Enhydra session management for some time
but recently I ran into problems with people that don't close their
browser window and visit my site under a different name but still with
the original cookie (=session ID).

Is there somebody who could explain me the idea behind some of the
functions of the BasicSession class? Things like

- why and when to use RefCount (decrementRefCount, incrementRefCount)

- difference between User and SessionData and their purpose

Also, when is it safe to call the deleteSession() and createSession() of
the SessionManager? I have a check for re-used session ID in the
StandardApplication.requestPreprocessor() but when I deleted and
recreated the session at that place it wasn't much happy.

Basically what I am trying to do is to throw away the original session
ID in the cookie and create a new session ID as soon as I detect a new
user. If I don't do that the users often have several windows open with
different "identities" and then confuse my user management badly
(imagine that somebody logged in as Joe Average User With No Privileges
logs in again in another window of the same browser, to a different
account (say Root) with higher privileges and then goes back to Joe
Average's window and start screwing things up there thanks to recently
gained Root's privileges.

Thanks in advance for help.

Petr