Storing previous URL as session data

[eluser]erik.brannstrom[/eluser]
[quote author="Jondolar" date="1271207896"]If the user goes to the address bar and changes the 1 to a 2, just make sure they are authorized to delete that record.[/quote]

I'm no expert on this subject, but I believe the problem is when someone else than the user makes this change, which constitutes the actual attack. Say, another site that this user happen to visit while being logged into to the original site has an element like this:

Code:

<img src="mysite.com/thing/delete/25" />

Then this url will be loaded and the authentication goes well, since the session is in place, even though the user did not want to delete item #25.