I suppose that you could tie the authenticity token per form, but you would end up maintaining a list of every token per user per form.
You could use something like HMAC(form id:session id:secret) to validate forms, but then you run into problems with verification. The central issue is that tokens are generated in the view, but validated in the controller, so each controller would have to maintain a list of the forms that are authorized to POST to it.
