Currently i have it, when a user replies to a thread; I use $id = $_GET['id'] and pass the variable to hidden readonly input in the reply form.
Another approach i use is a data attribute, which i retrieve with jQuery and then submit the form with ajax. A data attribute could be changed in firebug.
What is good method to prevent tampering with html hidden fields/data-attributes?
I thought about using sessions..For example if a user has multiple windows open: page1.php?id=1, page2.php?id=2, page3.php?id=3. How would i store and retrieve the session? I can’t have a definitive session name with multiple windows open.
Obviously you can’t prevent the user from changing the HTML client-side (you can make it difficult, but not impossible). If you’re worried about people replying to threads they have no permission to reply to, you should handle that server side (check permissions before posting). That way the user can change the ID all they want, but they can still only reply to threads they are allowed to reply to.
Another option could be to use encrypted id in the query string, but in this case I would still check the permissions server-side.