MVC

ValidateAntiForgeryTokenHeader

All controller actions defined to receive HttpPost calls using the HttpPostAttribute should also be decorated with the Litium.Accelerator.Mvc.Attributes.ValidateAntiForgeryTokenHeaderAttribute to disallow Cross Site Request Forgery.

 

Example:

[HttpPost]
[ValidateAntiForgeryTokenHeader]
public PartialViewResult UpdateOrderItem(CheckOutB2B currentPageDefinition, Guid orderRowId, int quantity)
{
    ...

All forms posting to the action are then required to have the token its html markup, add it with the Html-helper:

@Html.AntiForgeryToken()

Litium.Accelerator.Mvc.Attributes.ValidateAntiForgeryTokenHeaderAttribute is preferred over the standard System.Web.Mvc.ValidateAntiForgeryTokenAttribute since it also supports ajax post requests with JSON payload. It does this by also checking the request headers for the anti-forgery token instead of only checking the payload sent to the server.

In accelerator.js the anti-forgery token is read from the page and added as request header in all jquery ajax calls using the beforeSend hock in the ajaxSetup-function.

Is this page helpful?
Thank you for your feedback!