There is no error with your code. CakePHP's Security component checks hidden form fields to prevent tampering by end users:
By default SecurityComponent prevents users from tampering with forms. It does this by working with FormHelper and tracking which files are in a form. It also keeps track of the values of hidden input elements. All of this data is combined and turned into a hash. When a form is submitted, SecurityComponent will use the POST data to build the same structure and compare the hash.
Use FormHelper::unlockField
to make a field exempt from this feature:
$this->Form->unlockField('User.id');