From a376b7b40b08a235253d15e4a12814ddab5883f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Ros?= <none@none>
Date: Sat, 27 Nov 2010 10:54:44 -0800
Subject: [PATCH] Preventing anti forgery tokenized forms to be cached

Work Item: 16538

--HG--
branch : dev
---
 src/Orchard/Mvc/Html/HtmlHelperExtensions.cs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs b/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs
index 55576b657..fddf72c37 100644
--- a/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs
+++ b/src/Orchard/Mvc/Html/HtmlHelperExtensions.cs
@@ -336,6 +336,14 @@ namespace Orchard.Mvc.Html {
         }
 
         public static MvcForm BeginFormAntiForgeryPost(this HtmlHelper htmlHelper, string formAction, FormMethod formMethod, IDictionary<string, object> htmlAttributes) {
+            // Force the browser not to cache protected forms, and to reload them if needed.
+            var response = htmlHelper.ViewContext.HttpContext.Response;
+            response.Cache.SetExpires(System.DateTime.UtcNow.AddDays(-1));
+            response.Cache.SetValidUntilExpires(false);
+            response.Cache.SetRevalidation(HttpCacheRevalidation.AllCaches);
+            response.Cache.SetCacheability(HttpCacheability.NoCache);
+            response.Cache.SetNoStore();
+
             var tagBuilder = new TagBuilder("form");
 
             tagBuilder.MergeAttributes(htmlAttributes);
@@ -346,7 +354,6 @@ namespace Orchard.Mvc.Html {
 
             return new MvcFormAntiForgeryPost(htmlHelper);
         }
-
         #endregion
 
         #region AntiForgeryTokenOrchard