So the "hidden id" value is coming from an AJAX return?
If so, it will depend on the server-side code.
If this is to be used for anything where it is even slightly important that the value maintains integrity, you should have an accompanying hash token. In fact, you could probably be better of having only a hash token.
- server sets a unique value when the page is loaded / XHR completes successfully
- visitor does stuff, hopefully not messing with the values
- data goes to the server where it is checked against the value that was initially sent to the page.