I would have to agree with cianoz -- pass state through sessions, and only pass the session key as a hidden variable, or in a cookie. The problem with passing state through a form, besides having to encode/decode it every time, is that you have to untaint/revalidate it every time to keep people from hijacking your variables to their own nefarious ends. If you pass a session key around, they can mess with the key, but the most they can do with a good MD5-hashed key is invalidate their session.