Hi HttpServletRequest#getSession() of Tomcat4.0.3 returns a different session instance.
For example, if you write following code in Action#perform or Action#execute: HttpSession session1 = req.getSession(); HttpSession session2 = req.getSession(); System.out.println("session1="+session1); System.out.println("session2="+session2); System.out.println(session1==session2); you will get a following result: session1=org.apache.catalina.session.StandardSessionFacade@7cd37a session1=org.apache.catalina.session.StandardSessionFacade@202d69 false This means that the session instance returned by HttpServletRequest#getSession() can not be used as thread lock monitor. But in Action#isTokenValid(HttpServletRequest request, boolean reset) of Struts1.1b, session instance is used as thread lock monitor. Does this method work correctly when a submit button is quickly pushed twice? ----------------- protected boolean isTokenValid(HttpServletRequest request, boolean reset) { // Retrieve the current session for this request HttpSession session = request.getSession(false); if (session == null) return (false); synchronized (session) { // Retrieve the transaction token from this session, and // reset it if requested String saved = (String) session.getAttribute(TRANSACTION_TOKEN_KEY); if (saved == null) return (false); if (reset) session.removeAttribute(TRANSACTION_TOKEN_KEY); // Retrieve the transaction token included in this request String token = (String) request.getParameter(Constants.TOKEN_KEY); if (token == null) return (false); // Do the values match? return (saved.equals(token)); } } --------------------- Best regards, /** * Hiroshi Fujimura * @e-mail [EMAIL PROTECTED] * @version 0.9.1b :-) */ -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>