Hidden HTML Form Fields
Another technique for maintaining state information in a Web application is to store the data on the client computer. Not in cookies, but in the actual HTML code that is sent back and forth between the client and the server. The state information in the HTML uses the <hidden> tag so that is it not easily seen by the user. Here's an HTML code snippet from an Internet merchant site I visited that used a hidden HTML form field to remember that I chose to pay for my order using a Discover card:
<input type=hidden name=PayType value=Discover>
This technique has an advantage over cookies (and ASP Sessions, which require cookies) because the browser doesn't have an option to disable it. But it also suffers from the same disadvantage of increased transmission times because the state data is sent back and forth between the client and server for each request. The hidden HTML form fields technique also requires more complex coding in that the Web application must dynamically alter the HTML pages being sent to the browser to include all necessary state information. This requires the application logic to be closely tied to the user interface HTML code. Also, all requests sent to the server must be HTML form posts instead of ordinary hyperlinks so that the state information gets sent to the server.
Perhaps a bigger risk of using hidden form fields to retain state information is that it is stored on the client computer as simple HTML text, so there exists the potential that it can be altered, either accidentally or maliciously. One common scenario of this type of tampering involves so-called e-commerce shopping cart applications. Suppose a shopping cart application stores a customer's order information in hidden HTML form fields. Such information might include customer billing information, product ID, product name, quantity, and price. A malicious customer could use his or her client computer to save the HTML file with the hidden fields, modify the price values for the products being ordered to be much lower, open the altered HTML in a Web browser, and then submit the page back to the server. If the shopping cart software running on the server uses the prices from the hidden form fields, the customer's credit card could be billed for an incorrect amount.