0

Webform ASP.NET. Currently I am using Response.Redirect() to redirect to another page when I press a button or navigate. Is there a way to validate from where it comes the redirection? Lets say I have Login.aspx and when I press the button Save, it redirects to Account.aspx but I want to check from where it comes. If someone just writes in the browser Account.aspx, that person could just enter to that page and I don't want that. Is there a way to validate the Redirection to not be null and that it comes from an specific page?

EDIT to clarify my problem: Lets say I have an Index.aspx and a menu Registration.aspx. The registration is just a form to save the user data and after that it redirects to Buythings.aspx I want the guy to access Buythings.aspx only from a certain page redirection (Registration.aspx)

Popplar
  • 279
  • 5
  • 15
  • *"that person could just enter to that page and I don't want that"* - Why not? What harm is done from a user accessing a page that the user is allowed to access? There's no *reliable* way to track where the user came from. You *could* store some information server-side (such as in session state) to track where users have already visited or what they've already done. But I imagine this would get fragile and buggy quickly, and if it's not serving any real purpose then why do it at all? – David May 07 '18 at 16:18
  • Did you try using a global variable(such as a Boolean) , passing it a value when clicked the `Save` button and finally check from the account page if value matches condition ? – Software Dev May 07 '18 at 16:18
  • @David Sorry, the example is not good. Lets say I have an Index.aspx and a menu Registration.aspx. The registration is just a form to save the user data and after that it redirects to Buythings.aspx I want the guy to access Buythings.aspx only from a certain page redirection (Registration.aspx) – Popplar May 07 '18 at 16:29
  • @Popplar: Same question... why exactly does it matter what the *previous* page was? Why *shouldn't* a user be able to access `Buythings.aspx` unless they came from `Registration.aspx`? Whatever you're trying to prevent, you're most certainly taking the wrong approach. You can't *force* the user to make certain requests. But you can respond accordingly when invalid requests are made. So what makes a request invalid, why, and how should you respond? For example, if `Registration.aspx` persists some necessary value then `Buythings.aspx` can check if that value exists. – David May 07 '18 at 16:31
  • @David Hi David, because I need to validate first all the personal information of the user before and retrieve the id from the db of that sale. I will be using that ID through the pages. Forgot to say that this page is for a closed environment. When making the sales, is it obligatory to fullfil first the registration data. Unfortunately, this is how the proyect was made. – Popplar May 07 '18 at 16:36
  • @Popplar: If required information is not present then `Buythings.aspx` can check for that information and redirect the user to provide that information. Ideally with some helpful message indicating why the user was redirected. Or certain functionality on `Buythings.aspx` can be disabled with a helpful message suggesting the user go to another page to provide the necessary information. It's not clear what you mean by selecting the ID, you *always* have access to that for a logged in user anyway. – David May 07 '18 at 16:38
  • @David I edited the previous response. Unfortunately, the proyect was made like this (its pretty old), and the flow is like that. Everything is done by certains user, they register the buyer data from Registration (complete data) -> and then Buythings (select items). – Popplar May 07 '18 at 16:41
  • 1
    @Popplar: Regardless of the age of the project, the technical details of web applications remain the same. The user can make *any request they want*. If, for any given page, there is a reason why the user shouldn't be able to access it then *on that page* you would check for that reason. In the example you gave you suggested that the "registration data" needs to be known before the user can visit `Buythings.aspx`. So in the `Page_Load` for `Buythings.aspx` you can check wherever you store "registration data". If the data isn't there, redirect the user back to `Registration.aspx`. – David May 07 '18 at 16:44
  • @David Sorry for my bad explanation, this is what I was trying to say that you said: If, for any given page, there is a reason why the user shouldn't be able to access it then on that page you would check for that reason. – Popplar May 07 '18 at 16:49
  • @David Thanks David, what I did was to check for the ID in the pageload of Buythings, if its null then that user should not be there regardless of wether he can or not access it. – Popplar May 07 '18 at 17:02
  • 2
    You're focusing far too much on the page and the flow from page to page when what you should be focused far more on is the **State**. Checking whether a user came from a certain page or not is irrelevant and pointless. Check the condition you actually need to check, *when you need to check it*. That's what David is trying to tell you. Drop your pre-conceived notions of how it should work, because they're wrong. – mason May 07 '18 at 17:03

3 Answers3

0

You need to request.referrer; Something like this (you may have to edit it a bit):

string pageName = Request?.UrlReferrer?.Segments[1];

Then you say: 

if (pageName ="Registration.aspx")
{ DO STuff}
Jason
  • 652
  • 8
  • 23
-1

Use Http referer (wiki)

Request.UrlReferrer (SO discuss) is the actual property which is available as part of the http spec.

However, as mentioned in the wiki, there are certain cases it may not work or may get tampered with, so you have to take care of those.

NitinSingh
  • 2,029
  • 1
  • 15
  • 33
-2

Controller actions are essentially methods so you could pass something along that acts like a password, not sure I would recommend this. Instead if your trying to restrict access I would authenticate against the user to make sure they have permission to access the page, if you want anyone logged in to be able to access the page then just use

User.Identity.IsAuthenticated

Keith
  • 98
  • 4