On my site people can ask questions and answers can be posted. The question is at example.com/question/title. To post an answer, the form is submitted to example.com/question/post_answer/7 with 7 being the question id.
Validation is run here to make sure an answer was entered. If not, it takes you back to the original url. So the post_answer path is never actually 'seen' by users but they can obviously access it.
I'm wondering now that if a user changes the id of the question to 8, he could post an answer to another question.
This isn't really a security issue since all users would achieve is answering another question. But I'm wondering - in a scenario like this, how do you stop that kind of url tampering: storing the question id in the session and showing an error if it gets changed?
Thoughts?