Hello everyone,

I have recently finished implementing a bookmarking system for my site. Now i am working on a delete bookmark process. I am using forms to submit the deletion data. I also use csrf tokens in each form. I have come across a problem which i cannot seem to solve. I figured that i can associate the bookmark table id (auto increment primary key column in the db) with a random value stored in a hidden input. This way, i will know which bookmark to delete. so input name = bookmarkid and value = echo random name. The random name is stored in the session so that i can retrieve the db primary key for deletion. I don't use soft deletes here because this is not sensitive data nor is it data that cannot be retrieved.

Anyway, it is possible to switch random values and delete a different bookmark. How can i prevent this? how is it typically accomplished, even with a gmail message? how can we be certain that the form selection sent is the form selection that it is supposed to be? follow me? if i switch the random values, the selection will be deleted even though it isn't the one that you clicked on. fiddler tampering is one way to alter this form.

i was thinking that a session variable could be used to tie all of the data together: id with id value, id value with option name, option name with csrf token etc.

think about this problem and you should see that the form fields could be swapped but the deleteion will still happen as i currently have no way of associating bookmarks with form submission.

any tips?