Having an id as hidden field in form and session that id, then after submitting form and check that posted id with the one in session before processing the form data, does actually prevent brute force pomping to form?
This is a page which will provide more details:
The short answer is yes, this helps prevent security issues and is suggested. I wouldn’t use the users browsing session ID though.