1

See link below

ServiceStack

AntiForgeryToken

kyleb
  • 1,968
  • 7
  • 31
  • 53

1 Answers1

2

You wouldn't use the AntiForgeryToken with the service itself. It's actually quite simple if you are using MVC and the C# implementation of ServiceStack. Here is an example of how I would do it with C# and MVC for a login service.

[ValidateAntiForgeryToken]
public ActionResult Login(LoginModel model)
{
    var client = new JsonServiceClient("http://host/api/");
    var response = client.Post(model);
    return this.View(response);
}

I hope this helps. With limited information on how you are trying to use it, it's hard to give a definitive answer.

EDIT/ADDED:

The AntiForgeryToken is really an MVC feature to be used within the controller not on the REST service. I don't think this would translate well.

If you wanted to use the AntiForgeryToken, you would do all of your calls (ajax or not) through your controller and let the controller's action do the talking to the service. If you needed to call the service directly from the front-end, you would pass over a unique token that you could store on the service/db side of things that would be passed in the headers and verified on the service side of things.

technicallyjosh
  • 3,511
  • 15
  • 17
  • Well I am not so concerned about Logon stuff. I am more concerned about other services calls besides Logon. Like lets say I have a ShoppingCart service and I want to call via ajax : mysite/api/Cart that maps to class CartService : RestService and I want to POST to this address to add an item. How can I prevent users from posting data besides just verifying cookie? – kyleb May 23 '13 at 18:10
  • 1
    I think I understand what you are trying to accomplish. The purpose of an AntiForgeryToken is explained here. [link](http://stackoverflow.com/questions/13621934/could-you-explain-validateantiforgerytoken-purpose-and-show-me-example-about-val). No matter what the service is, if you wanted to use an AntiForgeryToken, you would go through the controller to call the service. If you were to post directly from the Javascript in an ajax post, you could add a header to the service call with a unique key that is validated on the service side to make sure the call is valid. – technicallyjosh May 23 '13 at 18:26