Decided to use a map that I save in the browser session. This way i can pass the tokenKey throgh the URL and get the variable back afterwards.

I wrote this little extended class of Zend_Session_Namespace and added 'add' and 'get' functions.

<?php

class My_Session_Tokens extends Zend_Session_Namespace {

    protected $_namespace = "Tokens";

    public function __construct($namespace = 'Tokens', $singleInstance = false)
    {
        parent::__construct($namespace, $singleInstance);
    }

    public function add($token) {
        if($tokenKey = $this->hasToken($token)) {
            return $tokenKey;
        }

        do { $tokenKey = uniqid(); } while(isset($this->$tokenKey));

        $this->$tokenKey = $token;
        return $tokenKey;
    }

    public function get($tokenKey) {
        if(isset($tokenKey)) {
            return $this->$tokenKey;
        }
        return null;
    }

    public function hasToken($token) {
        foreach($this as $key => $val) {
            if($val === $token) return $key;
        }
        return false;
    }
}

I don't think you can.

You can save the token as a cookie, or use it as a GET param but make it expire every 15 minutes or so (and regenerate a new one on every page load). Also check for the same user agent, and if you want to go down the IP road, IP address (however it can give false positives, I wouldn't recommend it).