The usual way to deal with this problem is to use a session number.
- the form is generated by a CGI script, it includes a (hidden) param that identifies the session (a unique number),
- received session numbers (and possibly session information) are stored in either a DB or in a flat file (be sure that file is properly locked by using the technique described in RE: File Locking),
- when you receive a new request you can then query the DB, or lock the session archive file and load it, to check that this is the first time that this session is sent to you. If not you can either discard the info or send back a message to the user.
And of course you can also look at merlyn's Linux Magazine Column (the last one on the page) that deals with this kind of problem.