Storing this kind of information in the session is generally a bad
idea. There are always those power users that insist on opening
several browser windows for the same session. In that case, you open
up the possibility of invalid data being written to the db. Of course,
you can get around this with some sort of request key mechanism that
detects double posting, but that's more trouble than it's worth.
Two ways of handling this are posting the parent id in a hidden field,
or making the parent id part of the url the form is posted to:
/targets/add_to_list/3 where 3 is the id of the list. Or (with slight
semantic breakage of the controller separation) /lists/add_target/3
where the target creation is handled in the lists_controller code.