What is the use of token tag in Struts2 and how does it work?

Question

I came across this <s:token /> tag and it is enclosed in a <s:form></s:form> tag in a JSP Page. Some other StackOverflow link discusses its usage in maintaining session and prevention of double submission of forms. What exactly is the use of this tag? If it prevents double submission of form then what happens when I submit form and how does it prevent it?

possible duplicate of [Difference between Token Interceptor and Token Session Interceptor?](http://stackoverflow.com/q/19525888/1700321) — Aleksandr M, Apr 27 '15 at 07:52
@AleksandrM this question/answer doesn't relate with the Struts2 tag, just a piece of code that tells difference but doesn't expain how it works. — Paramvir Singh Karwal, Apr 27 '15 at 08:00
how does it gets to know if it is submitted more than one time, where does the flow go when it checks this, a basic explanation would work :) — Paramvir Singh Karwal, Apr 27 '15 at 08:16
The explanation you are looking for is already [in this answer](http://stackoverflow.com/a/28717589/1654265), I won't replicate it here, so feel free to upvote that if it helps. — Andrea Ligios, Apr 27 '15 at 09:03

score 4 · Accepted Answer · edited May 23 '17 at 12:00

Here I am answering my own question because this may help someone in future, though I will try to dig more on this and get it updated.

The plain English explanation I found:

"The token tag generates an unique token which is used to find out whether a form has been double submitted. When the form is rendered, a hidden variable is placed as the token value. Let us say, for example that the token is "ABC". When this form is submitted, the Struts Filter checks the token against the token stored in the session. If it matches, it removes the token from the session. Now, if the form is accidentally resubmitted (either by refreshing or by hitting the browser back button), the form will be resubmitted with "ABC" as the token. In this case, the filter checks the token against the token stored in the session again. But because the token "ABC" has been removed from the session, it will not match and the Struts filter will reject the request." (Source)

However these two StackOverflow answers add more to knowledge.

Note: *Struts Filter* should be replaced by **interceptor**. — Aleksandr M, Apr 27 '15 at 10:08

Vy Do · Answer 2 · 2015-05-17T10:30:06.773

The purpose of <s:token/> tag:

Stop double-submission of forms.

The token tag is used to help with the "double click" submission problem. It is needed if you are using the TokenInterceptor or the TokenSessionInterceptor. The s:token tag merely places a hidden element that contains the unique token.

(Source: https://struts.apache.org/docs/token.html )

What is the use of token tag in Struts2?

See example.

How it works?

It works mainly by using a class, a Helper class and a configuration xml file: Token.java , TokenHelper.java, struts-token.xml.

What is the use of token tag in Struts2 and how does it work?

2 Answers2