Smart way to disallow users going to a site page directly

Question

A site has 100's of pages, following a certain sitemap. A user can navigate to page2.aspx from page1.aspx. But if the user goes to page2.aspx directly say through a book marked URL, the user should be redirected to page1.aspx.

Edit: I dont want to go in and add code to every page that needs to fulfill this need.

Note: This is not a cross-page postback scenario.

Answer 1

I guess you could check the referrer, and if there isn't one / or it isn't page1.aspx then you could redirect back to page1.aspx.

Answer 2

You might consider something that is based off WorkFlow, such as this: http://blogs.msdn.com/mwinkle/archive/2007/06/07/introducing-the-pageflow-sample.aspx

The WCSF team also included a pageflow application block that you can use as a standalone add-on to your application.

Answer 3

As another answerer mentioned, you could use the Referrer header, but that can be faked by the client.

Since you don't want to modify each page, you could do something with an IHttpModule. Assuming you have some way of describing the valid page navigations, you could do something like this in the BeginRequest handler:

• Check the session for a list of valid pages (using a default list for first visit if none are in the session).
• If this request is for an invalid page, redirect to the place the user should be.
• Based on this request, set up the list of valid pages and redirect page in the session so it's ready for the next request.

Answer 4

I recently worked with real code that checked to see if referrer was blank and used that as a step in authorization. The idea was users wouldn't be able to fake a referrer, you don't need a custom browser to fake a referrer. Users can book mark your page to delicious, then delicious.com is the referrer (and not blank).

I've had real arguments about how sophisticated a user needs to be to do certain hacks-- i.e. if users don't know how to set the referrer, then you can trust it. While true, it's unlikely your users will write a custom browser, but there already are Firefox addons to set headers, referrers etc and they're easy to use.

Josh has the best answer-- on page2 you should check the page hit log and see if the user has recently visted page1

Answer 5

I like alot of the answers above (specifically the workflow).

Another option, is creating each page as a usercontrol and having page1.aspx control what usercontrol gets loaded. This has the advantage of storing your workflow in a single place instead of on each page.

However, I don't think there's a magic bullet out there. It sounds like this security problem is an afterthought, or possibly reported as a bug, and you have been tasked with fixing it quickly and efficiently.

I would start weighing the answers here with their associated cost in hours.. I suspect the quickest solution will be to check referrer addresses on each page. Although hackable, it is obscure and if that risk is acceptable to you it may be the appropriate solution.