protected String handleToken(ActionInvocation invocation) throws Exception { // see WW-2902: we need to use the real HttpSession here, as opposed to the map // that wraps the session, because a new wrap is created on every request HttpSession session = ServletActionContext.getRequest().getSession(true); synchronized (session) { if (!TokenHelper.validToken()) { return handleInvalidToken(invocation); } } return handleValidToken(invocation); }