When you first load the form, create a random string (something like an [man]md5/man hash of [man]time/man or even [man]uniqid/man and do two things with it:
- Add it to the form as a hidden element (input type="hidden").
- Store it in a session.
Now, when you process the form the first time, you would first make sure that the hash submitted in the form matches the one stored in a session. Then, unset the stored session hash and continue on with whatever it is you are doing.
If the user simply presses F5 again to re-submit the POSTed data, your script will see the old hash value in the form but not find a corresponding hash in the session, at which point you'd kindly halt execution and inform them of their naughty behavior.
