All controller actions defined to receive HttpPost calls using the HttpPostAttribute should also be decorated with the Litium.Accelerator.Mvc.Attributes.ValidateAntiForgeryTokenHeaderAttribute to disallow Cross Site Request Forgery.



public PartialViewResult UpdateOrderItem(CheckOutB2B currentPageDefinition, Guid orderRowId, int quantity)

All forms posting to the action are then required to have the token its html markup, add it with the Html-helper:


Litium.Accelerator.Mvc.Attributes.ValidateAntiForgeryTokenHeaderAttribute is preferred over the standard System.Web.Mvc.ValidateAntiForgeryTokenAttribute since it also supports ajax post requests with JSON payload. It does this by also checking the request headers for the anti-forgery token instead of only checking the payload sent to the server.

In accelerator.js the anti-forgery token is read from the page and added as request header in all jquery ajax calls using the beforeSend hock in the ajaxSetup-function.

Is this page helpful?
Thank you for your feedback!