But then they can still modify it by going to the code...
You can give them a 12-char session id, so that they'll have almost no way to change it to another true one. Create a sessions.cgi file in the directory, have a randomly-generated id such as "Fr5g4Dds9aG", in the file have "Fr5g4Dds9aG" => "Max Smith", and then add to the HTML: input type="hidden" name="session" value="Fr5g4Dds9aG".
But that's only if you don't trust them.