I have an J2EE compliant web application. I use a session based token to append a secondary id to all incoming link generated by my application. To prevent my application against CSRF attack, I validate the secondary id before I allow the user session to work off the subsequent page. Recently, while working with session replication mechanism implementation, I observed that on session failover, the generated secodary id is lost and the user get re directed to the login page/default page. Any suggestions on how I can ensure that the my generated secondary token id is not lost from the replicated session?