How to create a view that is not accessible directly but can only be redirected to?

Question

I'm currently working on the user registration in my project. After the registration is done I wish to show some confirmation to the user. I decided to create another view. That's fine.

Now, if after the registration I just return the view like:

public class MyController : Controller
{
    [AcceptVerbs (HttpVerbs.Post), ValidateAntiForgeryToken]
    public ActionResult Registration (FormCollection form)
    {
        /* Some logic goes here */

        return View ("ConfirmationView");
    }
}

Everything is working as desired. No changed url in the title bar. But... If I click the refresh button, the browser will submit the data from the form again which I do not want.

Then I decided to create a separate action, but that means it will produce a new url in the address bar. I do not want the user to click refresh now because this view will not be able to sensibly display the confirmation information again. Is there any way to make an action not accessible directly? Or at least any way to determine whether it was called directly or by redirection? In the latter case I would just take the user away from that page to maybe the home page.

Any way to accomplish this?

Answer 1

One way to solve your problem is to attach a guid or similar type of "random" data to a user session, and check for a valid session when the page is requested. If there is none, you redirect to a page saying that this url is not available at the moment, and that the user will soon be redirected (and then redirect to home after 5 seconds or so using js).

Roughly it would work like this:

1. When the user is registered, a session cookie is created with for example a GUID. The GUID is also stored in a database table, in which you have one column for the UserID primary key and one for the GUID. You also create an authentication cookie, thus logging the user on to your site.

2. When all datacalls etc are done, the user has been successfully registered and so on, you redirect to the confirmation page.

3. When the confirmation page is loaded, the user is automatically logged on (because you created the authentication cookie in step 1). You can then check for a row in the UserID-GUID table corresponding to the logged on user.

   a) If there is such a row, you delete the row, and display the confirmation page with all the information.

   b) If there is no such row, you display the error message and redirect. As you deleted the row when you showed the message the first time, the user will not be able to access the confirmation page again.

---

Note: If you use this approach (or some other that makes the confirmation page available only once) you should make sure that it is clearly stated on the confirmation page that the user won't be able to access that page again.

Answer 2

So I found the solution myself.

One can use TempData to detect the repeated or external action calls.

public class MyController : Controller
{
    [AcceptVerbs (HttpVerbs.Post), ValidateAntiForgeryToken]
    public ActionResult Registration (FormCollection form)
    {
        /* Some logic goes here */

        TempData["RedirectCall"] = true;
        return RedirectToAction ("Confirmation");
    }

    [AcceptVerbs (HttpVerbs.Get)]
    public ActionResult Confirmation ()
    {
        if (TempData["RedirectCall"] == null)
            return RedirectToAction ("StartPage", "Home");

        return View ();
    }
}

Nice and simple. :)