In ASP.NET, how to prevent tampering for a hidden field value

Question

I have a user control with a few dropdowns. I refill the dropdowns using ajax whenever one of them is changed based on the new selected value.

The value of one of these dropdowns is the final value of the user control witch I want to bind to a data field.

The problem is ASP.NET doesn't recognize values of dropdowns because they where generated in client-side. So I used a hidden field and whenever a value is selected in the dropdown I will put that value in the hidden field and I return the value of the hidden field as the user control value and everything works fine except

I'm afraid that a user might tamper the value of that hidden field to an illegal value. Is there a better way to do that?

Answer 1

Always Validate all inputs on the server side, Client side validation is added mainly to give instructions to the user and to prevent unessesary round trips.

Answer 2

You should validate all client side input on the server side, regardless of any client side validation that you can employ. Input from a client side page can be tampered with many different ways and should be treated as untrustworthy.

The ideal security practice is to validate input at every level, as if the data coming from the previous level is coming from an untrusted source. This means validating at the client level, the server level, and the SQL level.

Answer 3

If you were binding to the select a user could tamper with those values too. Just validate the hidden field like you would with any other input. And don't worry about pretty feedback, just throw an exception if the value is out of range. If someone is trying to fiddle with your form, who cares if he gets ugly errors.

I guess to answer your question more succinctly: you can't prevent tampering on the client, all you can do is validate - server side