I’m creating a system using ASP.NET MVC for filling out online job applications. It’s really just an experiment to familiarize myself with the MVC framework. I’m definitely not a security expert so I just wanted to get some advice here since this web app will be dealing with sensitive information.

The system has a wizard-like set of views. You go from one view to the next filling out the relevant information until the end when you finally submit it.

Each job application is stored in the database with a GUID primary key. Right now I am simply storing that GUID in a hidden field in the view of each page. This makes it easy to update the model in the controller like so:

[HttpPost]
public ActionResult ExampleAction(FormCollection formValues)
{
    Guid appId = new Guid(Request.Form["ModelId"]); // the GUID stored in the hidden field
    ExampleModel example = db.Entities.Single(e => e.ModelId == appId);

    UpdateModel(example, formValues);
    db.SaveChanges();

    return RedirectToAction("ExampleAction2", new { appId = appId.ToString() });
}

I know this is not secure because anyone with any kind of development experience knows you can edit the values of hidden fields in any browser’s developer tools. So what’s the recommended way to securely get the same results?