Hello everyone and Happy New Year!!!
I have a question related to usage of the [IgnoreAntiforgeryToken] attribute. What is the point of disabling the antiforgery token validation?
For example this is used in the ProductController.cs --> AddProductToCompareList action method.
What's the point of [IgnoreAntiforgeryToken] attribute
- 26
- 150
- 08.04.2015
- Bulgaria
Yidna wrote:
Hi, thank you for your answer!
Maybe I didn't ask my question right. I read this documentation and I'm aware what the [IgnoreAntiforgeryToken] attribute does but I'm little confused of its usage in the NopCommerce source code:
1. There are controllers which are decorated with the [AutoValidateAntiforgeryToken] attribute but their GET methods (not decorated with the [HttpPost] attribute) are marked with the [IgnoreAntiforgeryToken]. Such an example is the CheckoutController.cs. As the documentation stated the [AutoValidateAntiforgeryToken] does skip GET methods and it is not checking the antiforgery token, so then why using the [IgnoreAntiforgeryToken] on such methods?
2. There are controllers decorated with the [AutoValidateAntiforgeryToken] and some of their methods are decorated with the [IgnoreAntiforgeryToken]. Maybe to allow accessing this methods without an active login session or something else?
3. There are controllers not decorated with the [AutoValidateAntiforgeryToken] but only single methods in those controllers are decorated with this attribute. Such an example is PrivateMessagesController.cs
Hi, thank you for your answer!
Maybe I didn't ask my question right. I read this documentation and I'm aware what the [IgnoreAntiforgeryToken] attribute does but I'm little confused of its usage in the NopCommerce source code:
1. There are controllers which are decorated with the [AutoValidateAntiforgeryToken] attribute but their GET methods (not decorated with the [HttpPost] attribute) are marked with the [IgnoreAntiforgeryToken]. Such an example is the CheckoutController.cs. As the documentation stated the [AutoValidateAntiforgeryToken] does skip GET methods and it is not checking the antiforgery token, so then why using the [IgnoreAntiforgeryToken] on such methods?
2. There are controllers decorated with the [AutoValidateAntiforgeryToken] and some of their methods are decorated with the [IgnoreAntiforgeryToken]. Maybe to allow accessing this methods without an active login session or something else?
3. There are controllers not decorated with the [AutoValidateAntiforgeryToken] but only single methods in those controllers are decorated with this attribute. Such an example is PrivateMessagesController.cs
