If you don't trust the consistency of anything, a unique token is better than nothing.

<?php

$token md5(uniqid(rand(), true));

$_SESSION['token'] = $token;

?>