I would question your overall purchase process. Here is what I mean.
Many web sites are set up in this manner:
- Initiate process
- taken to payment page, which is off the web site, a third party location. A good example is payPal.
- When payment is complete, the user must click the back to merchant link to inform the web site that the payment is complete, and update any database entries, provide downloads, etc.
If your set up is like this, it's really on the site owner. What should happen here is a) either a silent post which performs the transaction in the background, never leaving the site, or b) an automated method of finishing the transaction so you do not rely on the customer to finish the transaction.
A good example of "b" is payPal's Instant Payment Notification. You set up a "listener" script on your site. It's job is to listen for messages from payPal, and update a web site's transactions. Once the transaction is complete payPal sends a token to your script to complete the transaction. Most processing gateways have a similar method in place to manage this if you use their "payment page."
Eliminate any possible place where you rely on the user to do, or in simonuk's example, NOT do, a particular action that can cause you grief. In his case you should have some method in place to prevent those duplicate submissions.