I have a form which send data in the db, I am using a text number as verification, also i am using a flood protection script i got on net, it logs ip and the time in db; and then works.

IP addresses are easiest to spoof using simple techniques..

Now if user presses the back button on browser the text number (captcha) remains same and can submit the form again after 10 secs. period of flooding. How to prevent?

I read the dc's post on [webmasterworld.com...]
I just got one thing; make a session on the form page with current value and compare it on the processing page. But how does it work?