How do I force users to not skip pages via url input in an asp.net mvc 2 application?

Question

I'm using ASP.NET MVC 2 & VS 2008 Pro.

I am building a web site where users must go from page A to page B to page C. In other words, the order is very important. I want to guard against a user on page A simply entering a url for page C. If the user attempted to do such a thing I'd like to redirect them back to the page they were on before they entered the url.

It seems like I would make an action filter for this, but I'm honestly not sure what kind I would need. I would need access to the url the user was on and the url they are going to, and would have to validate them.

Thoughts?

EDIT 1

This is ugly, but it looks like I can get the full Uri's for the referring & destination urls inside of the OnActionExecuting method. I'd wager that this could be done from any kind of action filter. I'm currently testing all of this inside of the OnActionExecuting event of a custom action filter initially designed to check session state for expiration.

LogUtil.Write("OnActionExecuting", String.Format("Referring Url: {0} \n Destination Url: {1} ",
                filterContext.RequestContext.HttpContext.Request.UrlReferrer.AbsoluteUri.ToString(),
                filterContext.RequestContext.HttpContext.Request.Url.AbsoluteUri.ToString() ));     

LogUtil is just a custom class I wrote that writes out to a log file.

So far it isn't pretty, but it works. Anyone have a more elegant solution?

EDIT 2

Another take that makes comparing the url's a bit easier is below. I haven't tried this using routes that actually contain parameters. In that situation, this might get thrown off.

String[] referrerSegments = filterContext.RequestContext.HttpContext.Request.UrlReferrer.Segments;

String[] destinationSegments = filterContext.RequestContext.HttpContext.Request.Url.Segments;

Perform action lookup logic to ensure destinationSegments[destinationSegments.length-1] comes after referrerSegments[referrerSegments-1]. This will likely be done with a static string List that contains the names of all the actions in the application in order. The index values of these shouldn't be more than 1 apart (i.e. destination action should have an index of plus or minus 1 of the value of referring action index).

Thoughts?

EDIT 3

Sigh. Apparently the referrer information is lost when a user is on a page and manually types in the url into the address bar. This seems odd to me, but it means I can only get the url for the current page the person is on.

Anyone have any suggestions here aside from session? I really, really want to avoid storing something like this in session if possible.

Answer 1

An Action filter is exactly what you need, with a redirect when they are being naughty. Keep track of their progress in the time honoured fashion, using the Session State.

This keeps the main part of your application relatively stateless (compared to classic ASP.NET) and keeps this logic in the action filter.

Another consideration: If your input is potentially a long-lived process you could save the user's progress to a database or into a Windows Workflow object. Just a thought. This would enable them to start the process on one machine and pick it up elsewhere. This might not apply to your scenario, but it is worth considering in some situations.