i think I understand: -- generate unique token=xyz123 and store in the session -- generated catalogue content so that addToCart url's look like this in the html source: http://my.domain.com/addToCart.do?itemId=HB0019?token=xyz123 -- when users adds an item to the cart, check form data token against session token. -- if match, add to cart, generate new token and store in session. -- user clicks 'continue shopping' and new cataloge content is generate with urls containing new session token: http://my.domain.com/addToCart.do?itemId=HB0019?token=bgh456
what happens if user hits the back button to catalogue. Perfectly valid thing to do.