How about if you generate a unique ID (perhaps an MD5 number with a combination of timestamp and a random number) for each instance of the form (i.e. each form request).

Place this unique ID as a hidden field on the form - then you can distinguish between form instances - of course, you will need to save the unique ID in the session as well (since you use the session as temporary storage).

Alternatively, you could store the unique ID and associated form values in a database, avoiding the need to trust client-side cookies.