Hi
I have some ideas about preventing duplicate submissions but nothing definite yet.
I think you have to just chuck the session ID somewhere on the form and pass that around. There is a rails plugin called something like ActionFlow which looks like a start at this kind of structure (read it for ideas only)
My thought would be that you then store the sessionID (or hash of it or something) in the new record and that way you can spot a duplicate submission based on using the back button.
Need to be a bit careful not to let the session get huge though if all the state is in the session. At least carrying everything around on the form has a side benefit of avoiding a bloated session (over time)
I don't really see that chucking stuff on the form creates many new security issues though, it's just important to validate everything on final submission and not only during the initial data entry form.
Also have a look at the Rails way of coding field names. This makes it quite simple to have a model to form mapping (which is easily reversible). Might make stashing stuff and getting it back from the form a lot simpler? Not sure if TT has any opinions on how to do this either?
Ed W