User Story:
I am an administrator of the web application and I need to delete another user of the web application. I select the user from a list of users and then can delete the user from a subsequent page.
Current (wrong) Solution:
Right now I'm storing the user-to-be-deleted's ID/primary key in a hidden form element (horrible, horrible, horrible, I know - someone could delete any user with an element inspector...). What's the best practice for something like this? Do I save the user-to-be-deleted's ID/primary key as a $_SESSION variable? A cookie? A hashed URL and grab it with $_GET?
EDIT
There are different groups of users, managed by different administrators. Admin of Group A has no knowledge of Group B (and it's users), etc. All the users are in a single table and all users can be in any number of groups. I need the user's ID protected and out of the DOM so that someone couldn't alter it and delete a user that they don't have jurisdiction over.
There is no need to use $_SESSION for such task: sessions are for maintaining state between pages, and there is no situation like this right here.
The best practice when dealing with resources [such as users] is to setup a RESTful environment.
While you haven't setup such system yet, you can still take advantage of HTTP requests with $_GET and $_POST php arrays:
<form action="delete.php" method ="post">
<select id="user" name="user">
<option value="1">Joh Doe</option>
<option value="2">Jane Doe</option>
<option value="3">Dun No</option>
</select>
<input type="submit" value="Submit"/>
</form>
When you submit this form, you make a POST request to delete.php, and the $_POST array will contain a user key with selected value - then you can delete user by such key, using PDO prepared statements.
Against denying deleting permissions, you have to setup your scripts in order to block requests if logged user hasn't got enough privileges - that's another layer you have to setup properly, so I advice you to use a framework [like Symfony or YII] so you can take advantage of their security components.
The hidden field idea is behind CSRF protection, so it is no pointless at all - and yes it relies on sessions.
Nothing wrong with a session. Sessions are used to be stored on more then 1 page for a temporary time.
I'd just make sure you verify user rights when deleting users.
It's good to write e.g. function isUser() that checks your data in session/cookies and returns true if you are looged in, then you could also have acces to var that states your rights as user. Also when you check if your data is ok and you are in fact logged in with correct data you could make $user_rights var which would contain level of access on site (etc.).
Then simply:
if(isUser() and $user_rights == 9) { /* code here, 9 is e.g. admin right */ }