Using Struts 2.3.20.1. We have a long-running token-protected (for CSRF) action that can take up to about 30 seconds sometimes. When this action is running on behalf of "Alice", the "List Users" page for all other people on the system such as Bob and Charlie is hung, because the List Users page is trying to show whether or not "Alice" is logged in by accessing properties of her HTTP session.
Is it necessary for TokenInterceptor to hold onto the session lock for the entire action invocation? Sincerely, rgm
