>When doing IT security assessments years ago (15-20) at banks we could inject numbers into LIVE CLIENT SESSIONS
That is because of cookies and server side middle of the man attacks because security is on the server and not the client. Client sessions are not client side security. You can still cheat with paper but a receipt would be a good thing. The problem is, is that it is not enforced and you still do not know what number you were in a count if counted at all. I understand all this and that.