Struts 2 tokenSession interceptor issue while redirecting from one action to another

Need your urgent help. We are facing a sev1 issue in using thew tokenSession interceptor to implement to prevent CSRF. The flow is such that Action1 --> Action 2 . We are using ActionRedirect to move from one Action to another, however whenever we use the tokenSession interceptor , it does not hit the destination action , instead it goes into a infinite loop. Below is the Struts.xml entry

LoginAction calls CompanyAction , but it goes into a infinite loop. If we remove the tokenSession interceptor entry in CompanyAction , it works fine. But we need to have it for CSRF

<!DOCTYPE struts PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 2.0//EN" "http://struts.apache.org/dtds/struts-2.0.dtd"> <struts> <constant name="struts.devMode" value="false" /> <constant name="struts.enable.DynamicMethodInvocation" value="false" /> <constant name="struts.custom.i18n.resources" value="labels,error_messages" /> <package name="default" extends="struts-default" namespace="/"> <interceptors> <interceptor class="com.mss.rmt.dmm.interceptor.StrictTransportSecurityInterceptor" name="strictTransportSecurityInterceptor"></interceptor> </interceptors> <action name="login" class="com.mss.rmt.dmm.action.LoginAction" method="login"> <interceptor-ref name="strictTransportSecurityInterceptor"></interceptor-ref> <interceptor-ref name="tokenSession"></interceptor-ref> <interceptor-ref name="defaultStack"></interceptor-ref> <result name="possible-xss-attack">/login.jsp</result> <result name="invalid.token">/login.jsp</result> <result name="success" type="redirectAction"> <param name="location">companyAction</param> <param name="struts.token.name">token</param> <param name="token">${token}</param> </result> <result name="input">/login.jsp</result> <result name="contactadmin">pages/contactadmin.jsp</result> </action> <action name="companyAction" class="com.mss.rmt.dmm.action.CompanyAction"> <interceptor-ref name="strictTransportSecurityInterceptor"></interceptor-ref> <interceptor-ref name="tokenSession"></interceptor-ref> <interceptor-ref name="defaultStack"></interceptor-ref> <result name="possible-xss-attack">/login.jsp</result> <result name="invalid.token">/login.jsp</result> <result name="success">/WEB-INF/pages/manager_dashboard.jsp</result> <result name="scvAction" type="redirect">scvAction</result> <result name="newclient" type="redirect"> <param name="location">clientAction</param> <param name="struts.token.name">token</param> <param name="token">${token}</param> </result> <result name="industryDoc" type="redirect">industryDoc</result> </action> </package> <!-- <include file="struts-login.xml" /> <include file="struts-landing.xml" /> <include file="struts-scv.xml" /> --> </struts>
Request your inputs.

Regards
Neel

// pasted from a second topic on the subject = JCE

This is in continuation to my earlier post where in specified that when there are two action - such that Action 1 redirects to Action 2 and tokenSession interceptor is used in both to prevent CSRF , then it goes into a infinite loop. Please let me know the correct way to implement tokenSession interceptor when a Action redirects to another Action and so on , such that every Action has to check for valid tokens.