There are multiple ways to do this. The usual way is to have all user data in server-side session store, and only give the client-side the session ID instead of user ID and similar sensitive information.
Your form would work without the user information, and then when you are handling the submitted data, you retrieve the user information from the session and basically assume that the user submitted it. There are ways to make this assumption safer by using CSRF protection, etc.
More on sessions in web.py: http://webpy.org/sessions/
More on CSRF protection: http://webpy.org/cookbook/csrf