I have a ASP.NET MVC 4 Blog which is 90% done but i need one thing - i have a webpage lets say index/secretPage but i want to be able to navigate to this webPage only after i am redirected from another - lets say index/redirect . If the adress is hardcoded it should not navigate, if the visitor is coming from a different link like blog/post/24 it should not be able to navigate too. I hope my question was clear, than you for all help.
Asked
Active
Viewed 882 times
0
-
Check the url referrer and if it's not of the expected page, issue a 404 or redirect to previous? – DGibbs Mar 28 '13 at 09:34
-
A little more info? I am fairly new to ASP.NET – Georgi-it Mar 28 '13 at 09:35
-
1You can use `Request.UrlReferrer` to get the url that the user came from previously and if it wasn't `index/redirect` or whatever, then you can do something like `Response.StatusCode = 404, Response.Status = "404 Not Found"` or `Response.Redirect("....");` – DGibbs Mar 28 '13 at 09:37
-
see here: http://stackoverflow.com/questions/1471188/how-do-i-get-the-referrer-url-in-an-asp-net-mvc-action – jao Mar 28 '13 at 09:37
-
@DGibbs suggestion has nothing to do with ASP.Net so it's not ASP.Net and/or MVC4 specific but has to do with HTTP in general. In a nutshell: A [referer](http://en.wikipedia.org/wiki/HTTP_referer) is "the current page" that a browser sends along when requesting a new page. A [redirect](http://en.wikipedia.org/wiki/HTTP_redirect) sends the browser off to somewhere else. **Do** keep in mind referers can easily be spoofed (as with any other HTTP headers) so **don't** rely on them. Also, proxy servers etc. have a habit of stripping these kind of headers from requests. – RobIII Mar 28 '13 at 09:37
-
3@RobIII Erm.. the question is tagged as `asp.net`... – DGibbs Mar 28 '13 at 09:38
-
I know what a referer is i just didn't know how to get it and use with asp.net – Georgi-it Mar 28 '13 at 09:38
-
@DGibbs Erm.., so? You answer has nothing to do with ASP.Net but with HTTP in general. That was all I was pointing out to georgi-it. From what I understood ("*A little more info? I am fairly new to ASP.NET"*) I gathered that georgi-it didn't understand the referer/redirect concepts so I pointed him in the right direction before he/she started looking in the wrong place (e.g. ASP.Net framework as opposed to basic HTTP knowledge). – RobIII Mar 28 '13 at 09:40
-
@RobIII Apparently you missed the OP's reply, he is familiar with what a referrer is, just not how to get at it in asp.net, `I know what a referer is i just didn't know how to get it and use with asp.net`... What on earth are you talking about :S – DGibbs Mar 28 '13 at 09:45
-
@DGibbs Apparently *you* missed that I replied *before* georgi-it stated he knew what a referer is. Up until that point I was under the assumption georgi-it was inquiring about referer/redirects when he stated "a little more info?". If georgi-it had been clear on *what* info he was inquiring about this whole misunderstanding wouldn't have existed. – RobIII Mar 28 '13 at 09:46
-
1@RobIII He was obviously responding to your little tirade about my comment clearing up that he does in fact understand what a referrer is. You then go on to state `I gathered that georgi-it didn't understand the referer/redirect concepts so I pointed him in the right direction before he/she started looking in the wrong place`. Your reading comprehension could use a little work.. – DGibbs Mar 28 '13 at 09:49
-
@DGibbs **I wasn't tirading**, I was pointing something out; what the hell is wrong with you? I was merely pointing out that referers/redirects have nothing to do with ASP.Net/MVC4 but with HTTP in general. Maybe you should read the entire conversation (in posttime-order!) again. There's nothing wrong with my 'reading comprehension'. – RobIII Mar 28 '13 at 09:50
-
@RobIII Just relax dude, no need to be upset :) – DGibbs Mar 28 '13 at 09:52
-
1@RobIII i am sorry next time i will say : I know what HTTP Referer is, i know what HTML is, i am also familiar with my computer's power supply please tell me everything else i didn't mention. I think my question was clear enought, starting with that it was tagged with asp.net, maybe now this arguing will stop. – Georgi-it Mar 28 '13 at 09:52
-
@georgi-it The question itself was clear, it was the comment "*A little more info? I am fairly new to ASP.NET*" that gave me the impression you might needed some pointers in the right direction about referers/redirects. How was I supposed to know you knew about referes/redirect? Why couldn't that be a new thing to you? TYou obviously weren't clear enough when you asked for "more information" withou stating informatio *on what*. And **so** I tried to **complement** (not tirade!) DGibbs' comment with my first comment in this whole mess. And then, somehow, I'm the jackass for trying to help!? – RobIII Mar 28 '13 at 09:54
-
@RobIII `The question itself was clear, it was the comment "A little more info? I am fairly new to ASP.NET" that gave me the impression you might needed some pointers in the right direction about referers/redirects` Why would that lead you to believe that he doesn't understand HTTP referrers or redirects? If anything the logical conclusion to draw from that statement is that he is unfamiliar with asp.net. You're not a jackass for trying to help, that's what we all come here to do ultimately. Just settle down and forget about it :) – DGibbs Mar 28 '13 at 12:55
2 Answers
2
You could also mask the secret page with an action that shows another page if direct called.
In this example there are 2 actions. 'Secret' for returning a bogus view and the 'Check' for the real call. In this action the bool variable 'allowSecret' ist checked an then the user sees the view 'secret.cshtml' if allowed or 'index.cshtml' if not.
Here's an example code for a simple controller with that functionality:
using System.Web.Mvc;
namespace Test.Controllers
{
public class HomeController : Controller
{
public ActionResult Index()
{
return View("Index");
}
public ActionResult Check()
{
// check if user is allowed to show secret page
if(allowSecret == true)
return View("Secret");
// Otherwise return view 'index.cshtml'
return View();
}
public ActionResult Secret()
{
// Always shows view 'index.cshtml' if url is ".../secret"
return View("Index");
}
}
}
You could also redirect to another action after the check fails instead of calling a 'fake-view':
return RedirectToAction("Index")
The difference is the url the user sees in the browser. Returning a view does not change the url, redirecting to another action changes the url to the changed route.
Of course you can place the check in another class behind the controller.
Another option is to use the 'NonAction' attribute:
[NonAction]
public ActionResult Check()
{
...
}
Hope that helps with kind regards,
DD
DanielDüsentrieb
- 23
- 3
0
You can UrlReferrer to get to know who refred to this current page and throw and exception or redirect back
HttpContext.Current.Request.UrlReferrer
http://msdn.microsoft.com/en-IN/library/system.web.httprequest.urlreferrer.aspx
But for what ever reason you need this. It dosenot look like a good design to me.
Hope this helps
Guru Kara
- 6,272
- 3
- 39
- 50
-
While technically a correct answer to what you've asked, remember that this is not at all secure. What you really want to do is use authentication of some form. – Nathan Mar 28 '13 at 09:40
-
1To stress this: relying on referers is **not** safe as I've [mentioned earlier](http://stackoverflow.com/questions/15678314/asp-net-mvc-4-make-a-page-not-directly-reachable#comment22256845_15678314). To me it too smells like a "not so good" design. – RobIII Mar 28 '13 at 09:41
-
-
@RobIII this is not going to secure my TopSecretAwesome admin page, this is for something different, not related to site security – Georgi-it Mar 28 '13 at 09:43
-
Hmmm, seems to me that if you are required to go "past" page A before you're allowed to visit page B you shouldn't rely on referers but on, for example, a session variable that gets set once a visitor visits page A. – RobIII Mar 28 '13 at 09:45