Storing this kind of information in the session is generally a bad idea. There are always those power users that insist on opening several browser windows for the same session. In that case, you open up the possibility of invalid data being written to the db. Of course, you can get around this with some sort of request key mechanism that detects double posting, but that's more trouble than it's worth.
Two ways of handling this are posting the parent id in a hidden field, or making the parent id part of the url the form is posted to: /targets/add_to_list/3 where 3 is the id of the list. Or (with slight semantic breakage of the controller separation) /lists/add_target/3 where the target creation is handled in the lists_controller code.
Cheers, Max
