//[ValidateAntiForgeryToken] public HttpResponseMessage Login(LoginForm loginForm) { var formValidation = loginForm.Validate(); if (formValidation.IsValid) { try { // attempt to login the user if (AuthenticationSecurity.Login(loginForm.Email, loginForm.Password, loginForm.RememberMe)) { // set some arbitrary redirect path to a valid MVC route // note: this is ok since the client should do a redirect and the server will determine their correct path when the account session is updated // note: ideally we'd look up the account type and set some default path, but this works well enough as long as the redirect is done. var redirect = "/c/#/path-to-somewhere/"; return(CreateSuccessResponse(new { success = true, results = redirect })); } else { // force invalid password error return(CreateInvalidResponse(loginForm.AsInvalidPassword())); } } catch (Exception ex) { // log the user out AuthenticationSecurity.Logout(); return(CreateErrorResponse(ex)); } } // invalid parameters, generate response return(CreateInvalidResponse(formValidation)); }