Using Python 2.7 in an Amazon Lambda as a backend of an Alexa Skill.
I have session attributes that the users get prompted for on the first intent they call that requires special access. They get stored as global variables, and then get sent in the response as session attributes. When a new intent is called, I read the session attributes out of it, store them as global variables, and then they yet again get sent with the next response. Basically, data that will always be in global variables when the Lambda is doing its thing, and will always be in the session attributes when the Alexa device is doing its thing.
However, this data bleeds over between users/devices in the following situation.
User 1 on Device 1 opens skill and then enters information that gets stored as a Global Variable, and also gets put into a session attribute.
User 2 on Device 2 opens skill. Somehow inherits session attributes from User 1. Uses intent that requires access, and is not prompted for the information because User 2 already has User 1's session attributes.