[Jon Egan]If you do this, the only "problem" you are allowing is the user to have two windows displaying the exact same page. Once the user navigates in one of them, it would also allow them to see both pages (new and old) at the same time, but if this was a problem you would also have to find a way to keep them from printing, jotting down notes on paper, doing screen capture, ....
means that you have to allow users to use back and refresh, then this won't meet all the requirements. It gets bigger and more unpleasant as you try to accomodate all of that.
if even back and refresh should work fine
STEP 1: User requests a first page (pg1.jsp), and server saves off "lastRequestTime" as X, and sends a page that holds the value (in URLs or hidden form field) named "verifyLastRequestTime", with value X.
STEP 2: User makes another request (submits pg1.jsp) to get a new page (pg2.jsp), server sees the "verifyLastRequestTime" value of X in the request, verifies it matches the "lastRequestTime" in the session, and allows the request to proceed. It is now time Y, so the server updates "lastRequestTime" to be Y, and sends out pg2.jsp with a hidden "verifyLastRequestTime" value of Y. This page has the cache-control directives in the HTTP headers or meta tags.
STEP 3: User then opens a new window, in which the browser wants to again display pg2.jsp - but it doesn't have the results of that request in a cache (I think this works, even though it definitely has it in memory since it is still displaying the page in the original window). So the browser prompts the user "repost form data?" (or if it was a link, it just sends the URL with a GET request) with all of the request parameter info exactly as it was in the original STEP 2 request (including value of X for "verifyLastRequestTime"). The server now compares the submitted value of X to the value in the session, which is Y, and disallows the request (sends to an error page or something).
When first req happens from login.jsp--> pg1.jsp , the url gets updated to pg1.jsp?timeToken=X
and pg1.jsp-->pg2.jsp the url should get updated to pg2.jsp?timeToken=Y
so at this time when the user presses Ctrl-N token will go as Y rather than X.
Hope it has something to do with whether u send the timeToken in URL or not ...... and currently i have frames in my application
so can u tell me how much feasibility that has