what are the security implications of running optimizelyClient.setUser() on the server-side rendering due to it being multi-user environment

[iamstarkov]

when you run client.setUser() on the client its fine, because browser is single-user environment, so you can't share or leak user details when there is just one user.

server environment is purposefully created to handle multitude of users at the same time, so one should be very careful to not leak user details in general, or mix different users up. From my understanding I need to run optimizelyClient.setUser() for optimizely to make a decision. I worry that race condition between I setUser for one user and trying to make a decision for it, there will be setUser call happening for another user and all the decision end up mixed up and broken for both users.

[mikechu-optimizely]

I'll bring up this issue along with #185 during our standup today.

[iamstarkov]

@mikechu-optimizely how did it go?

[mikechu-optimizely]

We're taking a closer look at our SSR in general. Ticket FSSDK-9975.