Addressing "principles" first (but directing this response to your broad question on exploitation, rather than to the specific examples of potential problems): the simplest may be to use existing, well-tested OS forum s/w. Rolling your own with even a glimmer of a possibility of opening its use to other than those who "can all be trusted" is either:

1. An example of the triumph of hope over experience
     or
2. A long-term committment to bug-erradication; hole-plugging; and user-hand-holding

Nonetheless, ++ for thinking about it....

Now, some possibly relevant procedures:

• -T
• POST; not GET
• 2-part login uname & pass) required and retained throughout session (you've already addressed this?)
• uname (+reference to hashed_pass) included (hidden) when a node is created.

And far beyond the trivia above, lots of heavy reading about vulnerabilties and how to minimize them.