Keith Brown has a great post on
how to stop visitors to your website messing around with their session state:
Many web apps rely on some form of client-side state management. It’s
either stored in a cookie, or mangled into the URL. Regardless, have you ever considered
what would happen if a user were to make small changes to (or wholesale replace) that
state? It’s really easy to do if you have the right tools (all you need is a browser
to play with mangled URLs)……