Sorry for delay guys I've been away, back to reality
I'm using the following to create a unique id;
$token = md5(uniqid(rand(), true));
This is matched against a hidden field when the form is submitted?
They need to be authenticated to access the form, but I've now added code to double check I have a user id in session when the form is submitted, I think this may have done the trick??!!!
They must of had a cached version somehow??
Thanks for you replies guys, I'll let you know if it still occurs