Turbine 2.x User's Guide: Preventing Double Submit of Forms
In your TurbineResources.properties you define a session validator that is processed before your action is. This allows you to force only logged in users to be able to execute a session, or do things like preventing double submission of forms.
There are others as well, including a TemplateSecure'*_SessionValidator. You can create your own by just subclassing SessionValidator and updating your TurbineResources.properties file.
To prevent the double submission of forms, you must put into form a hidden field like this:
<input type="hidden" name="_session_access_counter" value="$data.getUser().getTemp("_session_access_counter")"/>
This will allow the TemplateSession_*'Validator to check the current session_access_counter with the one stored in the user object. If it hasn't incremented, then the user has hit the back button or refresh button.
You must specify where to send the user if an invalid state happens. You can specify either a template or a screen, but if you specify both then only the template will be used (along with the appropriate screen class according to the normal screen loader algorithm):
On this page you can put an error message allowing the user to recover from hitting the wrong button. Look at the class org.apache.turbine.modules.screens.error.InvalidState to see a more complex example that allows the user to undo their mistake.