How do I restrict a user to type URL manually ?

Question

1.12/5 (5 votes)

See more:

When a user logs in the application and he has access rights 2 pages say , Home.aspx and About.aspx.

After login he lands on Home.aspx. Now if he types the url of /Pages/About.aspx manually i want to terminate his session or redirect him to login page even if he had a access rights to About.aspx.

Manual entry of URL should not be allowed whatsoever.

i have used forms authentication:

C#

<authentication mode="Forms">
      <forms loginUrl="~/Pages/Login.aspx" protection="All"  timeout="2880"/>
    </authentication>
    <authorization>
      <allow users="?"></allow>
    </authorization>

Also tried this but need some more better solution

C#

string referer = Request.ServerVariables["HTTP_REFERER"];
               if (string.IsNullOrEmpty(referer))
               {
                   Session["UserId"] = null;
                   Response.Redirect("/Pages/Login.aspx");
               }

What I have tried:

I have used forms authentication and HTTP_REFERRER.

I need something to be done from IIS if possible.

Posted 18-Apr-16 3:27am

Abrar Kazi

Updated 18-Apr-16 19:29pm

v3

Add a Solution

Comments

Richard Deeming 18-Apr-16 11:43am

Why? What possible reason do you have to care how the user ended up on a page which they are allowed to view?

Philippe Mori 19-Apr-16 8:10am

Do things as they are expected to be done. The fact that is inhouse development is not a valid reason not to follow usual web rules. You need to learn how HTTP works and stop trying to work around it.

Everyone tell you to not do it but it seems that you don't want to listen. There are no valid reason to do what you want. You don't want to make such compromise in software development.

I fon't understand why you would want to do bad software...

Philippe Mori 19-Apr-16 8:12am

Read carefully each answer at least 5 times and ask yourself each time if you really want to do something like that when every good software developer here told you it is a bad idea.

4 solutions

Solution 1

Using forms authentication you can also use location tags in web.config to define what roles have access there. See https://support.microsoft.com/en-us/kb/316871[^]

Another option, and I prefer this one, is to have a base class that all of your pages inherit from. In that base class you can write code to see if user has permissions to page and if not to handle appropriately.

Or, in each page_load you can check the permissions.

Posted 18-Apr-16 3:33am

ZurdoDev

Comments

Abrar Kazi 19-Apr-16 1:16am

Guys you'll are not getting me.. Its an inhouse development.. Let me give u an example..

(This application will be used within a particular place say an office.)

Example:
There are 10 employees
5 Accounts
5 IT

Now the menus appear as per user role. IT Guy will have only IT menus visible and same with Accounts team.

But if a IT guy manually types something like ../Pages/Accounts.aspx then i want him to be redirected to Login Page again.. Now thats a requirement..

Now suggest.

ZurdoDev 19-Apr-16 7:05am

My suggestions give you exactly what you want. Please read them.

Solution 3

No way. The whole idea is wrong.

If you thought a little bit on what a browser does, you would not even ask this question. It's quite obvious that any user is allowed to enter any URL at any time, by definition.

But I would invite you to think what could happened if such kind of restriction was possible. What a user would think? Would such person ever visit your site again?

What to do? You have all the possibilities to present any page the way or redirect the page, depending on the user's status.

—SA

Posted 18-Apr-16 3:40am

Sergey Alexandrovich Kryukov

Comments

Abrar Kazi 19-Apr-16 1:16am

Guys you'll are not getting me.. Its an inhouse development.. Let me give u an example..

(This application will be used within a particular place say an office.)

Example:
There are 10 employees
5 Accounts
5 IT

Now the menus appear as per user role. IT Guy will have only IT menus visible and same with Accounts team.

But if a IT guy manually types something like ../Pages/Accounts.aspx then i want him to be redirected to Login Page again.. Now thats a requirement..

Now suggest.

Sergey Alexandrovich Kryukov 19-Apr-16 9:04am

It does not matter.
—SA

Solution 4

If user should not be able to change the address, then why would you use different addresses for each pages. If you don't want that the user be able to navigate your site by entering address manually, then do a single page application.

It would absolutely make no sense at all to display distinct addresses for each page if the user cannot go to that page. The whole purpose of using distinct addresses for each page of a site is that the user could bookmark pages and come back at the desired page at any time.

If you don't want user to navigate your page by entering addresses manually, then all you have to do is to create a site that use a single address. That way, typical users won't be able to navigate to a specific page automatically.

However, it won't buy you much security as anyone could debug your application anyway and see how it communicate with the server to get the job done. So even if you use frame jQuery or anything else to update your page without changing its address, one would be able to debug all javascript code executed on the client.

If you really want to have more control, then you should create native application that communicate with an encrypted protocol (HTTPS) with a server and ensure that your code cannot be easily reverse engineered.

Posted 18-Apr-16 15:05pm

Philippe Mori

Comments

Abrar Kazi 19-Apr-16 1:16am

Guys you'll are not getting me.. Its an inhouse development.. Let me give u an example..

(This application will be used within a particular place say an office.)

Example:
There are 10 employees
5 Accounts
5 IT

Now the menus appear as per user role. IT Guy will have only IT menus visible and same with Accounts team.

But if a IT guy manually types something like ../Pages/Accounts.aspx then i want him to be redirected to Login Page again.. Now thats a requirement..

Now suggest.

Philippe Mori 19-Apr-16 8:00am

Usually the user is redirected only if he don't have the permission but in your original question you seems to want to redirect anyone as soon as they manually enter an address. If you are not clear, then it is not my fault...

By the way, it is very easy to redirect one to login page. I even think it is the default behavior... Such simple question could easily be answered using Google or starting with an appropriate template.

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

F-ES Sitecore · Accepted Answer · 2016-04-18T03:37:00

Solution 2

You could check

C#

Request.UrlReferrer

If it's empty it's likely they navigated straight to the page, if they came from a link on another page that page will be in there and you can check that it's a valid "from" page.

Pretty bad idea in my opinion though, I'd just let them access the page any way they want.

Posted 18-Apr-16 3:37am

F-ES Sitecore

Comments

Abrar Kazi 19-Apr-16 1:19am

Yes i tried that and its working good .. But is there any other solution as i have read HTTP_Referrer not necessarily gives information always.

F-ES Sitecore 19-Apr-16 4:22am

It's the only workable solution, but yes the fact that the referrer header is not mandatory is what makes it a less than ideal solution. However as others have pointed out what you're trying to do is break the rules of http so there are not really any mechanisms that support what you want to do.