This was posted in the bug tracker [1]: Craig McClanahan [08/Nov/06 10:38 PM]
* It is trivially simple for an application to provide an "escape hatch" when the user screws up ... create a "Cancel" button with immediate="true", and this action will get processed *before* Process Validations phase, and therefore will bypass the check performed by the Token component. What do you think about storing attribute in the request when the token validation fails that could help render the "Cancel" button (if no token error, no cancel button). -- Seeing is believing