How best to prevent form input substitution of registered user?

If a user ID is required in a form in Dashboard, it can be relatively safely assumed the ID will be of the registered user because they have to log in first in order to access the Dashboard. We don’t consider the admin will try to ruin the site.

But what if a non-admin user ID has to be posted in a form on an external page? If the user ID is passed in a form though a hidden input field, a malicious user can substitute its value in the Developer Tools.

To prevent this, I can only think of setting a session variable with the user ID and then grabbing it in the controller. Is this the best way of doing that?

Please check Pemissions and Access section

Why would you want to set the ID in a form’s hidden field? ANywhere you’re going to need that ID to process it just grab the current user that’s al. You definitely don’t need to add it to a form.

@mnakalay I should have been more specific. I not only use the site user ID but I have a whole class of a package specific info which the user can edit on their Account page. So they have to pass at least the other package class ID and some times, say a Post ID they’ve created and edit. So for example the form needs to pass 3 IDs: the site user ID, the package user ID and a post ID. Of course I can get the site user ID anywhere. But the other 2 need to be posted. So I can think of only sessions to post them safely in the front end to prevent malicious substitution in the Developer Tools.

I’d say the post ID is also not a problem since you can check whether it really belongs to the current user or not.

That leaves you with the package user ID. Since I don’t really understand how that’s a different user I can’t really say whether there’s a risk or not.