Hidden form field performance

Question

I have been using hidden form fields in my code a lot of times. Depending upon the requirement, I store some values in this/these hidden field/s, so I can easily access them from JavaScript code and avoid a PostBack. However, I wanted to know some things

1. Is there a limit I should not cross in terms of populating the hidden field?
2. Does the use of Hidden field cause some sort of security threat ?

I did find a discussion on hidden form fields, however it did not satisfy all my queries.

I would really appreciate any links or explanation ?

Thanks in advance

Answer 1

This is what I would say:

1. Hidden form fields typically have no limit to the length as long as you are using POST as your method. I've never used forms with GET form requests (with RESTful services for example), it's apparently still best to keep your total GET request to 2KB or less, but this limit actually comes down to the maximum length of the URL and vary from browser to browser (this means chunking very large data into multiple 2k hidden fields won't work for GET submits).

2. If you are using hidden form fields to store information about the user's application state (instead of using .NET to manager this for you), then you need to be aware that users can (and maybe will) modify these fields in ways you didn't expect. If a field shouldn't be changeable by a user, you should include in another hidden variable a hash or checksum of the data so that you can easily detect unexpected changes (and at least clear the user's state). With modern web inspector panels in Chrome, IE, Safari, and Firefox, it is trivially easy to modify pages in ways developers might not have expected. Simply treat all data being returned (including all query strings, form fields, cookies and request headers) from the client as tainted (ie 'dangerous') and act accordingly.