Does adding some form of key/ session_id buy any security? I think not, because it would be just another thing that needs to be passed in the form, and enough brute-force attacks would crack that too ...

I don't know much about security programing, but I remeber hearing somewhere For every door there is a key, which means that no matter what you do someone given enough knowledge, skill and motivation can still get in.

So adding the key/ session_id would make it better in the sense that, it would require more motivation for someone to get through it.