How can I achieve in an ASP.NET application, that a set of URLs/ASPX pages (parts of the application) cannot be called directly from the user in the Browser? These urls/pages may only be referenced in the application itself.
views:
27answers:
1
+4
A:
You can't. If a user can get to a page, they will be able to call it directly. You can't control peoples browsers...
One option is to look at the "HTTP_REFERER" header and if it is empty or has an unexpected value redirect. This does mean that your application will have to set it.
Another one is to create a custom header ("X-my-app", for instance) and if it does not exist, redirect.
Oded
2010-08-02 08:56:38
HTTP_REFERER is called the Referrer with an additional R since the people of W3C failed their spelling checks... :-) It should have been HTTP_REFERRER... But indeed, check the referrer to check the previous page. If it's an unexpected value, redirect to somewhere else. (With ASP.NET, you could add this logic into a master page, but then your index page should make an exception for all visitors.)
Workshop Alex
2010-08-02 09:03:01