HTML input readonly security risk?

Is it safe to rely on the data of a html input field set to readonly? What is the purpose of a readonly field?

I know the disabled fields are not pushed to $_POST whereas readonly are? Essentially what I want is a dynamic value in my form that is unchangeable to the user.

Woul开发者_如何学Pythond it be more appropriate to place this in session or what options do I have?

EDIT: As some below have mentioned storing this in session is a better idea, although after reading Storing objects in session I am concerned about performance and overloading the server with session data. Any suggestions? Would is be safe to just unset() any session data no longer needed. (Similar to memory management but on the session level? Delete what you do not need.)

Well it will work in the sense that users cannot put text into a readonly field. But anyone could forge a post with those fields modified easely.

So no its not a very good security.

For your other question you should give us more details about what you need that readonly field for. Maybe sessions are right for you maybe you do not need to do anything more then not write whatever`s in a readonly field to the db when the form is submited.

If an input is readonly, but you pass its value to the server anyway, that's not safe. It's very easy to manipulate the page's source.
If you want to remember some value, yes, use sessions. You may display it in the readonly input, but never pass a value through an input like this.

edit: Iznogood is right, someone can modify the POST values and send a fake header.

Nope. It is not safe to rely on the data of a html input field set to readonly. As well as not safe to rely on any client-supplied data.
It would be the only possible solution to place this in session

With Firebug you can easily make in writable so you don't even have to fake a post request using something likt curl.

If it is really readonly, than you can just ignore it server side, so even changing the value will not do anything with your data (e.g. in your database).

For me the reason to show someone a readonly file is to use the same form as a preview of a filled out from. But in this case you should not use it to send the data to your backend again.

For your second question: Session data is usually stored in a text file on the server. It will be deleted after some inactive time (standard is 24 minutes). You should not care of how big the data is. I also used session to store some hundered megabytes for some scripts. But it is a good idea to unset the form data from the session after the data has been sucessfully saved to the database =or any other persistent media). Storeing it in a session will also allow you to refill a form, even if the user does not press the back button or the browser does not recover the data correctly.