Click here to Skip to main content
15,348,882 members
Please Sign up or sign in to vote.
1.12/5 (5 votes)
When a user logs in the application and he has access rights 2 pages say , Home.aspx and About.aspx.

After login he lands on Home.aspx. Now if he types the url of /Pages/About.aspx manually i want to terminate his session or redirect him to login page even if he had a access rights to About.aspx.


Manual entry of URL should not be allowed whatsoever.

i have used forms authentication:

C#
<authentication mode="Forms">
      <forms loginUrl="~/Pages/Login.aspx" protection="All"  timeout="2880"/>
    </authentication>
    <authorization>
      <allow users="?"></allow>
    </authorization>




Also tried this but need some more better solution


C#
string referer = Request.ServerVariables["HTTP_REFERER"];
               if (string.IsNullOrEmpty(referer))
               {
                   Session["UserId"] = null;
                   Response.Redirect("/Pages/Login.aspx");
               }


What I have tried:

I have used forms authentication and HTTP_REFERRER.

I need something to be done from IIS if possible.
Posted
Updated 18-Apr-16 19:29pm
v3
Comments
Richard Deeming 18-Apr-16 11:43am
   
Why? What possible reason do you have to care how the user ended up on a page which they are allowed to view?
Philippe Mori 19-Apr-16 8:10am
   
Do things as they are expected to be done. The fact that is inhouse development is not a valid reason not to follow usual web rules. You need to learn how HTTP works and stop trying to work around it.

Everyone tell you to not do it but it seems that you don't want to listen. There are no valid reason to do what you want. You don't want to make such compromise in software development.

I fon't understand why you would want to do bad software...
Philippe Mori 19-Apr-16 8:12am
   
Read carefully each answer at least 5 times and ask yourself each time if you really want to do something like that when every good software developer here told you it is a bad idea.

Using forms authentication you can also use location tags in web.config to define what roles have access there. See https://support.microsoft.com/en-us/kb/316871[^]

Another option, and I prefer this one, is to have a base class that all of your pages inherit from. In that base class you can write code to see if user has permissions to page and if not to handle appropriately.

Or, in each page_load you can check the permissions.
   
Comments
Abrar Kazi 19-Apr-16 1:16am
   
Guys you'll are not getting me.. Its an inhouse development.. Let me give u an example..

(This application will be used within a particular place say an office.)

Example:
There are 10 employees
5 Accounts
5 IT

Now the menus appear as per user role. IT Guy will have only IT menus visible and same with Accounts team.

But if a IT guy manually types something like ../Pages/Accounts.aspx then i want him to be redirected to Login Page again.. Now thats a requirement..

Now suggest.
ZurdoDev 19-Apr-16 7:05am
   
My suggestions give you exactly what you want. Please read them.
You could check

C#
Request.UrlReferrer


If it's empty it's likely they navigated straight to the page, if they came from a link on another page that page will be in there and you can check that it's a valid "from" page.

Pretty bad idea in my opinion though, I'd just let them access the page any way they want.
   
Comments
Abrar Kazi 19-Apr-16 1:19am
   
Yes i tried that and its working good .. But is there any other solution as i have read HTTP_Referrer not necessarily gives information always.
F-ES Sitecore 19-Apr-16 4:22am
   
It's the only workable solution, but yes the fact that the referrer header is not mandatory is what makes it a less than ideal solution. However as others have pointed out what you're trying to do is break the rules of http so there are not really any mechanisms that support what you want to do.
No way. The whole idea is wrong.

If you thought a little bit on what a browser does, you would not even ask this question. It's quite obvious that any user is allowed to enter any URL at any time, by definition.

But I would invite you to think what could happened if such kind of restriction was possible. What a user would think? Would such person ever visit your site again?

What to do? You have all the possibilities to present any page the way or redirect the page, depending on the user's status.

—SA
   
Comments
Abrar Kazi 19-Apr-16 1:16am
   
Guys you'll are not getting me.. Its an inhouse development.. Let me give u an example..

(This application will be used within a particular place say an office.)

Example:
There are 10 employees
5 Accounts
5 IT

Now the menus appear as per user role. IT Guy will have only IT menus visible and same with Accounts team.

But if a IT guy manually types something like ../Pages/Accounts.aspx then i want him to be redirected to Login Page again.. Now thats a requirement..

Now suggest.
   
It does not matter.
—SA
If user should not be able to change the address, then why would you use different addresses for each pages. If you don't want that the user be able to navigate your site by entering address manually, then do a single page application.

It would absolutely make no sense at all to display distinct addresses for each page if the user cannot go to that page. The whole purpose of using distinct addresses for each page of a site is that the user could bookmark pages and come back at the desired page at any time.

If you don't want user to navigate your page by entering addresses manually, then all you have to do is to create a site that use a single address. That way, typical users won't be able to navigate to a specific page automatically.

However, it won't buy you much security as anyone could debug your application anyway and see how it communicate with the server to get the job done. So even if you use frame jQuery or anything else to update your page without changing its address, one would be able to debug all javascript code executed on the client.

If you really want to have more control, then you should create native application that communicate with an encrypted protocol (HTTPS) with a server and ensure that your code cannot be easily reverse engineered.
   
Comments
Abrar Kazi 19-Apr-16 1:16am
   
Guys you'll are not getting me.. Its an inhouse development.. Let me give u an example..

(This application will be used within a particular place say an office.)

Example:
There are 10 employees
5 Accounts
5 IT

Now the menus appear as per user role. IT Guy will have only IT menus visible and same with Accounts team.

But if a IT guy manually types something like ../Pages/Accounts.aspx then i want him to be redirected to Login Page again.. Now thats a requirement..

Now suggest.
Philippe Mori 19-Apr-16 8:00am
   
Usually the user is redirected only if he don't have the permission but in your original question you seems to want to redirect anyone as soon as they manually enter an address. If you are not clear, then it is not my fault...

By the way, it is very easy to redirect one to login page. I even think it is the default behavior... Such simple question could easily be answered using Google or starting with an appropriate template.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)



CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900