When edit data should id of data be stored in session

Question

I have list of posts that any user can edit.
When I enter edit mode of the post in a hidden field I store PostId.
Now I see that this is actually bad because user can change that hidden field and update some other post.

Is the session the only alternative to keep id of post that user edit, or there is some better tactic?

Because my is really bad :(

Answer 1

There's a better tactic:

Before updating the record check if the record that the user is trying to update belongs to the currently authenticated user.

You could write a custom authorize attribute that does this task for you. Here's an example.