Heres an example that you can try, it expects the page tobe loaded at least once first before a POST request, also token key is also hashed for fun:
<?php
session_start();
if ($_SERVER['REQUEST_METHOD']=='POST') {
if (!isset($_SESSION['token_key']) ||
!isset($_SESSION['token']) ||
!isset($_POST[$_SESSION['token_key']]) ||
$_POST[$_SESSION['token_key']] != $_SESSION['token']) {
echo 'Form spoofing error!';
} else {
//Continue with validation ect
echo 'alls good!';
}
}
//set after any checks on previous values
$_SESSION['token_key'] = sha1(microtime(true));
$_SESSION['token'] = sha1(microtime(true)+1);
?>
<form method="POST" action="">
<input type="hidden" name="<?php echo $_SESSION['token_key'];?>" value="<?php echo $_SESSION['token'];?>" />
<p><input type="text" name="yada" size="20">
<input type="submit" value="Submit" name="B1"></p>
</form>
hope it helps