do you call saveToken() anywhere? After the resetToken() perhaps?
It sounds like the following is happening:
1. server generates page with token A, page with token A submitted
2. token A is valid, record saved, tokenReset() called, saveToken() called creating token B
3. user presses back button, and resubmits old form with old token A
4. old token A does not match token B in session, user redirected to "failure"
5. server generates new page with token in session (token B)
6. user submits page with token B, which is accepted with new token B stored in session
Perhaps you could post more of your action where you have anything that uses/resets tokens?
PC Leung wrote:
When a page is displayed with a token,
data is inputted into the form. Clicking the submit button will save a record.
Then click back previous page.
Click the submit button again.
Invalid token is detected as expected
Error message displays on top of the page.
However I find the token is changed. Data is still there.
At this time, click the submit button once more. It will go to next page and save a record. The token becomes valid this time.
Why is this so?
Inside DispatchAction:
if (!isTokenValid(request)) { errors.add(ActionErrors.GLOBAL_ERROR,
new ActionError("error.transaction.token"));
saveErrors(request, errors);
return mapping.findForward("failure"); }
resetToken(request);
Inside struts-config.xml:
<action path="/addUserProfile"
type="com.erp.quotation.AddUserProfileDispatchAction"
name="addUserProfileForm"
scope="request" validate="true" parameter="method"
input="/AddUserProfile.jsp">
<forward name="success" path="/AddUserProfile.jsp"/>
<forward name="failure" path="/AddUserProfile.jsp"/>
<forward name="cancel" path="/UserMaint.jsp"/>
</action>
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
-- Jason Lea
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
