It all depends of course on the interface you've got. For example my interface does not have a lockCookie, so I had to come up with a slightly different approach. But for a thin client you don't need to pass the lockCookie back to the client, all the magic can happen on the server.
Just remember: I am not an accessor, so there is no guarantee that the given advice will not result in automatic failure. If you violate a must requirement, you'll fail (automatically). For all other decisions there is no good or wrong, just document your decisions in choices.txt and you'll be fine (and an OCMJD soon)