Forum OpenACS Q&A: Response to Securing form submissions

Yes the referer can be faked but the tag id  that is generated on the server is the main part of the security. Since it is generated and exists only for a limited time and if you purge the id as soon as used in addition to frequent purging of all expired tags it will buy you a little more security than nothing.  This approach could also be extended for a simple double click protection.