To keep track of a user, a server may include a user's identifier as a hidden and encrypted form field, so that it comes back with every form submission. What risk does this entail?
- A malicious user modifies the hidden field and submits a request for another user
- The user identifier is leaked and can be sniffed
- A cross-site request forgery can get hold of the identifier
- The identifier can be used in a code injection attack