I want to use the security token as hidden input field in my comment form for security purpose. I know if there is only one form in my webpage, I can do some thing like that

$token = sha1(uniqid(rand(), TRUE));
$_SESSION['token'] = $token;

I can use this token in my form

<form action="comment.php" method="post">
<input type="hidden" name="token" value="<?php echo $token; ?>" />
<input type="text" name="comment_body" value="" />
</form>

and on the receiving end, I can do that

if ($_POST['token'] == $_SESSION['token']){ 

   /* Valid Token */

}

But I have about 10 forms on a single page So How I can generate multiple tokens and How to handle them on receiving end. And What If a user open multiple pages?

You can use combination of microtime and mt_rand which I basically use when dealing with such scenario

$tokenLen = 64;

$randomData = mt_rand() . mt_rand() . mt_rand() . mt_rand() . microtime(true) . uniqid(mt_rand(), true);

$token =  substr(hash('sha512', $randomData), 0, $tokenLen);

To prevent CSRF, a single session-dependent token does already suffice.

However, if you want to use a different token for each form, you can associate the token to the form characteristics, e.g., the action URL and method, for example:

// issue token
$form = array('method'=>'POST', 'uri'=>'/comment.php');
if (!isset($_SESSION['CSRF_TOKENS']["{$form['method']}:{$form['uri']}"])) {
    $_SESSION['CSRF_TOKENS']["{$form['method']}:{$form['uri']}"] = generate_csrf_token();
}
echo '<form method="'.$form['method'].'" action="'.$form['uri'].'">';
echo '<input type="hidden" name="CSRF_TOKEN" value="'.$_SESSION['CSRF_TOKENS']["{$form['method']}:{$form['uri']}"].'">';


// check token
$form = array('method'=>$_SERVER['REQUEST_METHOD'], 'uri'=>$_SERVER['REQUEST_URI']);
if (isset(${'_'.$form['method']}['CSRF_TOKEN'], $_SESSION['CSRF_TOKENS']["{$form['method']}:{$form['uri']}"]) && ${'_'.$form['method']}['CSRF_TOKEN'] === $_SESSION['CSRF_TOKENS']["{$form['method']}:{$form['uri']}"]) {
    // token valid
} else {
    // token missing or invalid
}

Another possible solution is to used signed CSRF tokens. You can add the given example as much additional information besides the user ID as you want to further limit the validity of the token.