Suppose that I have a request handler that accepts an argument: key
And let the request be:
When the handler receives a GET, relevant data is fetched from db based on this key, fed to a form and displayed. In the process, the value of key is put in a hidden input.
When it receives a POST, it has the key argument from the query string, as well as the key from the hidden input, which are the same, provided that the user has not tampered with them.
I’d like to know if it’s the hidden input or the query string argument I should rely on when the data on the form will be saved to db. The problem is that query string may be modified by the user prior to post, just like the hidden input may also be modified since the source is open to the user.
Well, any data that you send to the client has the potential to be modified (it may not be trivial, but the possibility exists, nevertheless).
There are many options; Querystrings, hidden fields, cookies to name a few. Each of them suffers from this very drawback – the possibility that a malicious user may modify the data in those entities.
Your best bet is to use strong encryption. Whether it is the data in the hidden field or a cookie, it can be easily encrypted. Then when the request is received, it can be compared with the value existing before the earlier response and it can be decrypted with the reasonable faith that the data has not been tampered with. For a good example, you should research how ASP.NET Viewstate works.
So, to answer your question, you should rely on neither state persistence method without additional security implementation. As they say, Security through obscurity is not security at all.