Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I am writing a web application on Asp.Net MVC 3.
Assume that we have some page and a @Html.Hidden field there with some information in it. Can I be sure that the user will never reach this information in hidden field?
Shortly speaking: is it safe to use hidden fields for information, that should not be revealed to user?
Absolutely not. It will still be sent to the client – it just won’t be visible in the rendered HTML. If anyone uses “view source” they’ll still see the field.
I suggest you try it to see for yourself – create the hidden field, then view the page in a browser and select “View Source”. It’s always good to have some idea of what the generated HTML looks like.
If you must send the information to the client, encrypt and sign it first – that way the user won’t be able to view it in plain-text, and they won’t be able to forge a different value in the response, other than “previously seen valid values”.