Neither are secure, and both have other issues too (for instance, a browser is only required to remember 300 bytes of cookie data per site IIRC)

I think hidden fields are easier to understand and debug, and I can't see if you really need the security. Still, I'd go for CGI::Session. It takes a little time to figure sessions out, but once you do, you really don't want do without them.