Holding tank, yes. This would require the forum hand you something unique (the post_id in the URL?)
The idea is to start the "discard this submission" timer running when the submission comes in, not before the user can know they've done something wrong.
I'm missing something about how this would allow spoofing, because the l/p would still be required to *commit* the post to the database, the forum ("web app") would just take over caching data you just handed it because the browser can't always be trusted to (especially early-model IE, poof, it's gone). If the user can't provide the l/p pair to "save" it from the holding tank, it expires rapidly -- but is never lost 'even before' the user pushed the submit button, which is the minor annoyance right now.
Maybe I'm slacking, but I fail to see why IP really enters into it... you can't expect a unique association there, all the thing has to do is buffer *any* post thrown at it, and cycle off the FIFO or whatever if it gets flooded. Whatever I said above, the token would come in after -- "Hi, welcome to the A.org save-your-butt-system. I've forgotten about whatever session you claim to be coming from, but recorded your submission as temporary entry 12345678, here is a preview spat back at you so you can cut-and-paste at your leisure, please enter a l/p within 5 minutes from current time X:XX UTC."** If the user's fast enough, they submit a form associating 12345678 in the "holding tank" with "Floid / Floid's Password" (re-entered, since nobody was logged in), and if not, *poomf,* it's gone. Maybe if an 'attacker' guessed an ephemeral ID he could purposely/accidentally ascribe an abandoned submission to himself, but that's weak; the only other thing that can be done is to 'clog the buffer,' which would only affect those users not-logged-in anyway. :-)
It's like holding envelope #uuid while the guy (authenticated as owner of #uuid because he's standing in front of you and hasn't moved when you hand that key back to him) scribbles his name on it to be mailed. Rather than having him walk up to the counter, hand over the envelope, and "Oops, you were standing in line for more than 15 minutes. *ZZZRIP!* through the shredder!"
(And heck if I know, but it probably would require mangling Xoops. See DSLReports for a chunk of forumware that does it, though... I think they also leave your username floating around somewhere in the form to be submitted back -- what with having to have been logged in first to try to post -- so the system remembers who you're "trying" to be and only has to prompt for the password.)
**I'm an idiot. The preview is the key; by returning what you just submitted, it never has to expire, since you just have to submit valid ID (l/p) with the text to have it processed, and putting it all on one page means you can do it with one 'resubmit'/'post' button... like how DSLReports does it. Of course, the system would still have to be smart enough to be able to plonk it onto the end of the thread, handle the thread-no-longer-exists case, etc...