Hi,
So I have a private page where I have a delete button.
The delete button just links to a page something like this: mysite.com/?postid=123&confirm=1 When confirm is set, the page is deleted.
The problem is, a malicious person could reverse engineer the URL and trick (logged in) users of the site into clicking the link.
How can I verify that the last page visited was from my site, in the private section?
Possible solutions:
I was thinking HTTP_REFERER (mispelled due to html standard stupidity), but heard it's not robust.
Right now I'm just setting a cookie for 1 minute, to limit the likelihood of hacking, but wonder if there is a better way.