This is a duplicate of this question , but I am posting my answer here for convenience ...
The PRG template will not prevent this, since the P action in it takes time (usually this is the case), and the user can submit the form again (by clicking or updating the browser), which will cause the PRG template to be "unable to "
Please note that attackers can also circumvent all your client-side measures by running multiple HTTP messages in quick succession.
The solution to all of the above is to check for duplicate views on the server side using the following method described by me here .
I quote:
"If you use a hidden anti-fake token in your form (as you should), you can cache the anti-fake token on the first submission and remove the token from the cache, if necessary, or finish writing to the cache after a set amount of time."
Then you can check with each cache request whether a particular form has been submitted and reject it, if any. "