Direct URLs & delete confirmation forms

Question

I am seeking a best practice advice for implementing delete confirmation forms.

The following page, among other options, contains delete button...

/website/features/f/123

...when clicked a simple form gets loaded under following url:

/website/features/f/delete/123

A user has to confirm deletion in a simple delete confirmation form. Delete button gets enabled after the 'check to confirm' checkbox is checked.

All good and clear, however I am concerned that providing direct URLs to delete options may lead to... say, situations that could be avoided.

Is there a better way of handling this scenario? Perhaps referer validation?

Answer 1

Actually deleting something should required the user to be logged in to the site and you should check that this user has the necessary permission to actually delete something. If your use case permit that something can be delete publicly, then it doesn't really matters if the confirm is checked or not (think trolls). If your user has the permission to delete something, then there shouldn't be any problem except if mistype something in the URL.

To avoid this you can also implement the DELETE http request (think REST). A combination of permission and DELETE should be enough to avoid bypassing the confirm dialog.

Another solution could be to implement validation token. The confirm dialog generate a secret token that needs to be validated by the delete action.

Answer 2

The most common "situations that could be avoided" are:

• Bots following links (e.g. to precache results). Avoid this problem by ensuring that the URL requires a request to use an HTTP method that is not safe such as POST and not GET.
• CSRF attacks as covered by this other question

Answer 3

I implemented my initial referer idea. But as always I am open for suggestions and constructive criticism.

if(empty($_SERVER['HTTP_REFERER'])) $this->_app->redirect('/website/features', 302);

Note that this is a slim based redirect.