It shouldn’t matter that they can change the values because you’ll be using some sort of authorisation to ensure that they can edit whatever they’re trying to edit.
Having said that, in my new site, I decided not to set any cookies on the user’s computer, or to start any sessions. I needed a way to show a confirmation page after the user sent a message through the contact form, so I encrypted the contact message ID with a private key and used it in the URL of the confirmation page. The confirmation page decrypts it to determine the appropriate message. Doing this prevents users from altering the URL to see other people’s sent messages.
There’s additional protection as the confirmation page is only available for 5 minutes after the form is submitted. Messages older than that can’t be loaded through that page.
Feel free to submit a message through the site contact form if you want to get an idea of how it works.