As I understand the [HttpPost] attribute, or any POST method for that matter, it is used when state is changed. However, if you set up Forms Authentication with a loginUrl like:
<forms loginUrl="~/Account/LogIn" ...
this will force a redirect when an [Authorize] attribute is encountered. Example:
[Authorize]
public ActionResult AccessPrivateData()
{
// Should redirect to /Account/LogIn if AuthCookie not set
// ...
}
So far so good. My problem is that I can't use [HttpPost] for the LogIn action now (because you can't redirect to a POST):
[HttpPost]
public ActionResult LogIn(string username, string password)
{
// Won't find the URL (/Account/LogIn) if redirected to here...
// ...
}
but wouldn't a LogIn action indeed change state, warranting a POST? Please someone offer some explanation, and if you can, how you deal with this.
You could have two LogIn actions. The redirect will use a GET and get sent to the action that simply renders the login form.
When the form is posted, it will use the method decorated with [HttpPost]
[HttpGet]
public ActionResult Login()
{
// Render view
}
[HttpPost]
public ActionResult LogIn(string username, string password)
{
// Process form post
}