Hi Alec,

My suggestion would be to examine the way Wordpress has dealt with this.   WP uses Nonce keys on each form, painless with a wp_nonce_field() function call.  The keys are stored in a database table that also contains the referring document of the form, the destination URL, and other information about the user session.  They also expire after a reasonable amount of time.   On form submission, part of the validation routine extracts the nonce key from the hidden form field and pulls the information out of the database, verifies that everything is correct, expires the nonce key, and then processes the form.

The nice thing about the WP approach is that the nonce functions abstract all of the key creation, record creation, and so on.  You just need to include it on your form and then call wp_verify_nonce() as part of the form validation routine. 

WP info:
http://codex.wordpress.org/Wordpress_Nonce_Implementation

Nonce info:
http://en.wikipedia.org/wiki/Cryptographic_nonce