In my javascript form validation function I prevent double-clicking users from submitting the same request multiple times, but retain full functionality for backing up and making another request. But what if javascript is disabled - what is the best approach for a server-side solution using PHP?

Cookies can be disabled so that's probably not the best approach. What about sessions? What are the pros and cons of using sessions for this? How about a time-based limiter? For either of these methods, can the user be identified somehow other than IP number? I would like to avoid compromising usability for browsers behind a proxy server.

All input appreciated.