Hidden form field performance

Question

I have been using hidden form fields in my code a lot of times. Depending upon the requirement, I store some values in this/these hidden field/s, so I can easily access them from JavaScript code and avoid a PostBack. However, I wanted to know some things

Is there a limit I should not cross in terms of populating the hidden field?
Does the use of Hidden field cause some sort of security threat ?

I did find a discussion on hidden form fields, however it did not satisfy all my queries.

I would really appreciate any links or explanation ?

Thanks in advance

It would help a *lot* if you could give us an example of what you mean by "hidden variable" (code speaks louder than words). — T.J. Crowder, May 12 '12 at 11:34
you mean hidden input in form ? and you are writing in ASP.NET ? — c69, May 12 '12 at 11:34
There is no concept of "hidden variables" in JavaScript, so you really have to explain what you mean by this. — Felix Kling, May 12 '12 at 12:36
I've edited the question. Based on the link, this is clearly about ``, not JS variables. — Andrew, May 12 '12 at 15:27

score 2 · Accepted Answer · answered May 12 '12 at 12:15

2

This is what I would say:

Hidden form fields typically have no limit to the length as long as you are using POST as your method. I've never used forms with GET form requests (with RESTful services for example), it's apparently still best to keep your total GET request to 2KB or less, but this limit actually comes down to the maximum length of the URL and vary from browser to browser (this means chunking very large data into multiple 2k hidden fields won't work for GET submits).
If you are using hidden form fields to store information about the user's application state (instead of using .NET to manager this for you), then you need to be aware that users can (and maybe will) modify these fields in ways you didn't expect. If a field shouldn't be changeable by a user, you should include in another hidden variable a hash or checksum of the data so that you can easily detect unexpected changes (and at least clear the user's state). With modern web inspector panels in Chrome, IE, Safari, and Firefox, it is trivially easy to modify pages in ways developers might not have expected. Simply treat all data being returned (including all query strings, form fields, cookies and request headers) from the client as tainted (i.e. 'dangerous') and act accordingly.

answered May 12 '12 at 12:15

Andrew

14,204
15
60
104

"if a field shouldn't be changeable by a user, you should include in another hidden variable a hash or checksum of the data so that you can easily detect unexpected changes". If the user can't & doesn't have to change the value, then this variable should not be in a hidden field in the client-side but being stored on the server-side only, *wherever it's possible*. A simple example of that is storing information about the user (it's id) in an hidden field which is not necessary (use sessions instead) and may be insecure. However, it's not always possible to do that – pomeh May 12 '12 at 12:25
@pomeh, Sure, but let's say your serving from multiple servers and don't want to expend any energy synchronizing states across all servers for fairly trivial operations. Or your machines have inadequate storage for the number of states you expect to need to manage. .NET does this itself with its _VIEWSTATE variable in postbacks. I'd personally recommend leaving all this to your .NET implementation since it works so well, but if you want to (or have to) roll your own you just need to be diligent about application state. Just treat everything as tainted. – Andrew May 12 '12 at 12:34
Thanks for your answer Andrew. I had one doubt though, would use of multiple hidden fields or populating it with large data have any impact on the performance of the page? – Rohan May 12 '12 at 16:01
2

I wasn't 100% sure so I just did some quick tests. The quick answer is, yes, adding hidden form fields will affect performance: adding text to a page will result in a larger stream and a longer download. And adding any element to the DOM will take time to insert. But (!) since hidden elements are not visible to the page, they take *way* less time to add to the DOM than visible ones (eg. ``). So I would say, yes, they'll affect performance, but so minimally you probably won't notice. The thing to do is test it yourself. If the hidden inputs are <10KB, you're probably fine. – Andrew May 13 '12 at 10:41
Thank you Andrew. I really appreciate that took time to test. This will help me in my approach to use hidden form fields – Rohan May 14 '12 at 03:21

Hidden form field performance

1 Answers1