This will solve both the security and "dirty" fields issue:

1- Go ahead with CGI::Session and let it generate and send the session ID to the client

2- Store in the session data not only the primary key but also the original values of the fields you sent to the client (probably in a hash that will be serialized in order to be stored in the session data)

When the client submits the form:

3- Retrieve the session data from CGI::Session

4- Compare each field the client sent with the fields you have stored in your session data

5- Update to the database only the fields that have been changed

If you're concerned about concurrent changes to the data, you could calculate the MD5 of all fields during step (2) and store this MD5 in the session data. Between steps (3) and (4), read the data from the DB again, calculate the MD5 and compare it with the one in the session data. If they're not the same, you'll know that someone else has changed your data.