If a user ID is required in a form in Dashboard, it can be relatively safely assumed the ID will be of the registered user because they have to log in first in order to access the Dashboard. We don’t consider the admin will try to ruin the site.
But what if a non-admin user ID has to be posted in a form on an external page? If the user ID is passed in a form though a hidden input field, a malicious user can substitute its value in the Developer Tools.
To prevent this, I can only think of setting a session variable with the user ID and then grabbing it in the controller. Is this the best way of doing that?
@mnakalay I should have been more specific. I not only use the site user ID but I have a whole class of a package specific info which the user can edit on their Account page. So they have to pass at least the other package class ID and some times, say a Post ID they’ve created and edit. So for example the form needs to pass 3 IDs: the site user ID, the package user ID and a post ID. Of course I can get the site user ID anywhere. But the other 2 need to be posted. So I can think of only sessions to post them safely in the front end to prevent malicious substitution in the Developer Tools.