Is using TempData ["id"] safer than using a hidden field to track the identifier between the HttpGet and HttpPost callbacks?

Question

Is using TempData ["id"] safer than using a hidden field to track the identifier between the HttpGet and HttpPost callbacks?

Purpose:

So that users do not fake any identifier (example: CustomerId, UserId, ProductId, etc.) between a round trip (from a call to the HttpGet processing for the HttpPost processing methods), I want to use it TempData[].

However, most people use hidden fields to track identifiers. But I think that users can still fake them.

In short

Is it TempData["id"]safer than using a hidden field to track the identifier between the HttpGet and HttpPost callbacks?
Are there any disadvantages with using TempData[]?

Change 1

In this case, I use TempData[]only for tracking identifiers, and not for other fields. The remaining fields are still available to users.

+3

asp.net asp.net-mvc asp.net-mvc-3

LaTeX Mar 17 '11 at 1:08

source share

3 answers

, , TempData . , ( ), cookie. .

(, ), .

MVC 2 , TempData . .

+1

CtrlDot 17 . '11 1:18

URL- , .., , ( id), . (, ), , .

+1

tvanfosson Mar 17 '11 at 1:20

source share

jfar · Accepted Answer · 2011-03-17T01:20:05+0000

You should always check the user input, and in this case, make sure that any identifier is transmitted in fact, the user has access. Is it safer? Not really because there is nothing wrong with hidden inputs if you check anyway.

Using tempdata means that you accept parameters from the routes of the (supposedly) HTML form and now TempData. This seems terribly complex, not a real defense inside your controllers.

TempData . , Post TempData, .

Is using TempData ["id"] safer than using a hidden field to track the identifier between the HttpGet and HttpPost callbacks?

Purpose:

Change 1

More articles: