The lock() method given on my assignment does not seem right - it does not return a cookie that identifies a client, even though the comment explicitly states that the lock is used to lock a record so that it can only be updated/deleted by this client. I presume 'client' means an actual user. But in this case, is it reasonable to assume 'this client' implies 'this thread'?
That just means you need to be creative. Your required locking system will force you to do things differently from most people, keeping track of clients and cookies on the server completely (you can get client specific information on the server, see my previous thread on that) rather than passing the cookie to the client and letting him send it back to you.