Parameters, such as those found in form fields, query strings, view state, and cookies, can be manipulated by attackers who usually intend to gain access to restricted pages or trick the application into performing an unauthorized operation.
For example, if an attacker knows that you are using a weak authentication token scheme such as a guessable number within a cookie, the attacker can construct a cookie with another number and make a request as a different (possibly privileged) user.
The following recommendations help you avoid parameter manipulation vulnerabilities:
Protect view state with MACs.
Use Page.ViewStateUserKey to counter one-click attacks.
Maintain sensitive data on the server.
Validate input parameters.