Prevent change of hidden field

Question

What if I have ChangePassword form with hidden ID field of the user.

BadPerson knows id of GoodPerson. He opens Change Password form with FireBug, changes his Id to GoodP

Answer 1

There is nothing that will let you know that a value of a hidden field's value has been changed or not. For a user to change his password it means that he needs to be authenticated. When using forms authentication the ID of the currently authenticated user is stored in an encrypted cookie which cannot be modified.

This is to say that you shouldn't use hidden fields for storing the currently connected user. Just use the built-in FormsAuthentication mechanism in ASP.NET and never store such information in hidden fields. The way ASP.NET knows that the value of the cookie hasn't been tampered with is that it signs it with the machineKey specified in the configuration.

There's an important rule that you should follow when dealing with security and authentication: always use built-in security mechanisms, never roll your own.