$_SESSION
and $_COOKIE
variables could be removed by the user, and are therefore abused by them. You need to store the submits somewhere on your server. Perhaps with MySQL. Then do a check before processing the form.
Something like
SELECT COUNT(*) attempts, MAX(submit_time) last
FROM form_submits
WHERE user_id = ?
AND submit_time > NOW - INTERVAL 2 MINUTE
Then
if ($row['attempts'] > 0) {
echo "You must wait " . (time() - strtotime($row['last'])) . " seconds before you can submit this form again.";
return;
}