thanks for the info, just thought id ask the question. There are only basically a few ways most people guard against it from what ive read, these are the options if you didnt already know that i cameacross.
1. After each POST redirect the page so that its in a GET state and refreshing the page wont send a POST request. Which is the easiest way to handle it.
http://en.wikipedia.org/wiki/Post/Redirect/Get2. POST pages using ajax.
3. Use a NOnce, this requires a little bit of thought, seems to be used quite a bit and is the most secure if done right. You basically generate an encrypted key with an expiration, store that against the page and the user's session. Once the user sends a POST with a matching key, handle the request and generate a new one so that if the user or any hackers that attempt to request the same page with the same key is not accepted.
https://codex.wordpress.org/WordPress_Noncesim using the first option at the moment but having a look at the nonce and seeing whats involved. But might have to come back to that part of it