Is using TempData["id"] safer than using hidden field for tracking an id between a round trip HttpGet and HttpPost?

Objective:

To prevent users from tampering any id (example: CustomerId, UserId, ProductId, etc) between a round trip (from invoking HttpGet-handling to HttpPost-handling action methods), I want to use TempData[].

Most people,however, use hidden fields to keep track the ids. But I think users can still tamper them.

Shortly speaking,

1. Is using TempData["id"] safer than using hidden field for tracking an id between a round trip HttpGet and HttpPost?
2. Is there any disadvantage using TempData[]?

Edit 1

In this scenario, I us开发者_JS百科e TempData[] only for tracking ids, not for other fields. The other fields are still exposed to the users.

You should always validate user input and in this case make sure that whatever ID is passed in is actually the Id a user has access too. So is if safer? Not really because there is nothing flawed with hidden inputs if you do validation like you should anyway.

Using tempdata would mean you are accepting parameters from the routes ( presumably ) the HTML form and now TempData. That seems awfully complex instead of having real security inside of your controllers.

TempData also goes away after every request made to it. That means your Post methods will also have to populate TempData adding additional complexity.

From what I know TempData is stored in the session. Technically this is more secure than hidden fields (almost anything is) unless your session data is persisted in cookies. Then they are about the same.

If your session data is stored server side (say memory or database) then you are okay.

MVC 2 and higher, the TempData is only cleared when read. So you should be good for that.

Typically you'd expose the id in the URL and use permissions, validation, etc. to ensure that users are only accessing data (by id) that they really should be. If you really need to track data (say, through a wizard or a shopping cart) that shouldn't be on the page, then I'd suggest simply using the session explicitly.