If you find that your users are constantly double submitting the same form, whether it be them hitting the back button, or refresh on the after-post page.
What we are going to do is create a token for each user that is used to identify a particular form use.
Every page that you have a form, you need to set a session variable which will include this token. This token should be generated brand new any time the following conditions are met: The form is not posted OR the form is posted and there are errors.
I personally use an $errors array to keep track of errors, so I know that if count($errors) == 0, I have no errors.
// Update token any time we have a form that has not been posted too
if (count($_POST) == 0)
$_SESSION['token'] == md5(time());
// We are only going to do the following if we have no form errors
elseif (count($errors) === 0)
// Check for token
if (empty($_SESSION['token']) || $_SESSION['token'] == '')
die('ERROR: Token has not been set');
// The two match, so lets go ahead and do our form processing
// set the token equal to '' so that it can fail on the next attempt at posting
// of this form
elseif ($_SESSION['token'] == $_POST['token'])
$_SESSION['token'] = '';
// since $_SESSION['token'] is now == '' it will run this last
// and end up dieing()
die('This form data has already been submitted');
Now, in our form, we need to include a hidden value for our token to transverse between the forms.
Should the form be displayed twice (from error handling, remember that because of our code above, our session key will not regenerate itself.
<form method="post" action="">
<input type="hidden" name="token" value="<? echo $_SESSION['token']" />
<input type="text" name="name" id="name" value="" />
Please note that this is just a basic example in its pretty much simplest form. You have the concept, now put it in action! I did not do any of the form processing or data handling to keep things as clean as possible.