[eluser]WanWizard[/eluser]
If you reload a page that contains a posted form, the browser will post it again. This is how it works.
I include a random ID in a hidden field in every form. When the form is posted, I first check in an array stored in the session if it's an ID I have generated. If not, it could be a CSRF attack. If it is, I check if it was already used. If so, I generate a 'double post' message, and don't accept the post.