Objective:
To prevent users from tampering any id (example: CustomerId, UserId, ProductId, etc) between a round trip (from invoking HttpGet-handling to HttpPost-handling action methods), I want to use TempData[].
Most people,however, use hidden fields to keep track the ids. But I think users can still tamper them.
Shortly speaking,
- Is using
TempData["id"]safer than using hidden field for tracking an id between a round trip HttpGet and HttpPost? - Is there any disadvantage using
TempData[]?
Edit 1
In this scenario, I use TempData[] only for tracking ids, not for other fields.
The other fields are still exposed to the users.
You should always validate user input and in this case make sure that whatever ID is passed in is actually the Id a user has access too. So is if safer? Not really because there is nothing flawed with hidden inputs if you do validation like you should anyway.
Using tempdata would mean you are accepting parameters from the routes ( presumably ) the HTML form and now TempData. That seems awfully complex instead of having real security inside of your controllers.
TempData also goes away after every request made to it. That means your Post methods will also have to populate TempData adding additional complexity.