Your guess is as good as any. What I mean is, 10 different people can tell you 10 different ways of doing this, so as a developer you should just come up with your own strategy. For me:
1) I post to the same method that generated the form/view.
2) Form validation and processing only occurs if CSRF token is good and request method is POST.
3) Errors, or a success message is sent to the view using $this->load->vars().
4) It is not desirable to have all forms repopulate, and in that case simply kill the post vars.
