Is the use of hidden fields in forms insecure?

Question

For example
Imagine I have the following form

  <%= form_for(@comment) do |f| %>

    <%= f.hidden_field :user_id%>
    <%= f.hidden_field         


        

Answer 1

A hidden field in a form is no more or less secure than any other data that come from user. That is, it should not be trivally trusted: It comes from the user and is open to manipulation and specialty injection.

When the data is sent back to the server, the server should validate that data and not assume that the operation is allowed/invalid just based on a particular user-modifiable context. Depending upon needs, approaches like hash checksums can be used to have a very high degree of confidence that the data was not tampered with (but again, this should be verified by the server each request!). Using "session state" mitigates the problem entirely by keeping the data out of user-manipulation land.

Happy coding.