Comment 1 for bug 121408

This should probably be a feature in web.form.

* web.form accepts an optional session object
* it saves the token in session and retrieves it at validation
* it needs a configuration option for session expiry timings
* probably a few more things I can't remember at the moment