this is to prevent CSRF attacks
http://en.wikipedia.org/wiki/Cross-site_request_forgery
a malicious site could theoretically display a form that posts to your application. the form might contain instructions that cause a data breach or some unwanted action. the user might be deceived into submitting the form which the app would accept because the user is already logged in. a form token ensures the form was created by your site and not some other site.
checking the HTTP_REFERER is often good enough, but not as complete a solution (https for instance won’t send the referrer string).
if you really want to secure all forms with a token, you can create some convenience functions like emitToken() and checkToken() that will make it work site-wide.
some examples: