1

I am stucked in a situation where I want to avoid user to navigate to a View by entering URL into the Browser.But can navigate to that view on clicking to a button whose action navigate to that view.

For eg:I have a href link to an ActionResult(Create).I want the user to navigate to this view(Create) when clicked on that link but not when it enters the url in the browser like (/Create).

I found some solutions on this portal like:

1)Making the ActionResult private-But this results in Http:404 Page not found Error by both entering the URL in the browser and on clicking the link which navigates to Create ActionResult.

referred links: Is it i possible to prevent certain PartialViews from being served if requested directly? 2)Using DataAnnotaion [ChildActionOnly] on the ActionResult Method.But this also doesnot gave me the desired result,it gave me an error too.The same error HTTP:404.

3)I tried using ControllerContext.IsChildAction but it alwayz return value false whether i navigate to this ActionResult on link click or entering the URL so I cant judge what to do.if it returns true in one case or false in other I would have solved my problem by redirecting in any case.

Asp.net mvc How to prevent browser from calling an action method?

help me Guys..

Community
  • 1
  • 1
Vishal
  • 604
  • 1
  • 12
  • 25
  • 2
    Why must the user be prevented from entering the URL? Users expect to be able to navigate to URLs (e.g. history, bookmarks) and will be surprised if they cannot. Most likely, we can help find you a better solution if we understand your requirements. – Iain Galloway Nov 07 '13 at 12:16
  • Actually I am showing a link which will be visible to only authorized users so that they can navigate to that view on click.But the users who are not authorized can also navigate entering the url into the browser which I want to avoid. – Vishal Nov 07 '13 at 12:26
  • In that case, you *really* don't want to use the Referrer! – Iain Galloway Nov 07 '13 at 12:27

1 Answers1

2

Given the information in the comments under the question, you almost certainly do not want to use Request.UrlReferrer, as this value can be trivially spoofed and so should not be used for any security purposes.

You almost certainly want to look at Authorization filters (and in particular you can use the AuthorizeAttribute as a starting point) to prevent unauthorized clients invoking the action method.

Community
  • 1
  • 1
Iain Galloway
  • 18,669
  • 6
  • 52
  • 73
  • My requirement is something like I don't want people to navigate directly to any action method by just typing them in browser's address bar.How would I approach then ? – Prasanna Apr 10 '14 at 11:30
  • That's not really something you can or should do. Your webserver doesn't know about the browser, all it knows about are requests and responses. You are almost certainly trying to use the wrong tool for the job. What's the business reason for the requirement? – Iain Galloway Apr 10 '14 at 12:20
  • Not sure though. We are just asked if this can be done. – Prasanna Apr 10 '14 at 12:25
  • Then you can refer to my answer, and to Adil's below. You can check Request.UrlReferrer to see where the request came from (it'll be null if they just entered the URL into the address bar), but you cannot rely on this value for any purpose related to security. – Iain Galloway Apr 10 '14 at 12:29
  • Your best approach is to figure out what the *actual* requirement is. Almost every time someone's asked me this, it's because they're trying to implement some form of authorisation and haven't really understood how HTTP works. – Iain Galloway Apr 10 '14 at 12:33
  • Yes.Exactly this is the case. – Prasanna Apr 10 '14 at 12:34