How to disable direct access to a view from url?

Question

I have two views in my asp net core application. The first view is called customer and the second view is called payment. I want to disable that users can get direct acces by typing the url "https://mywebsite/Payment" in the browser.

I want the users to be redirected to view which is called customer If users are trying to get direct access to view called payment.

How can I do that. I don't have any idea.

This is not how it works. When you return a redirect from a POST, the redirect is performed by the browser, not by the server. The server tells the browser the URL, the browser goes there. Because the URL has to exist in a form that can be told to a browser, the user can navigate there directly if they so wish. — GSerg, Sep 08 '19 at 19:04
That being said, you probably want https://stackoverflow.com/q/44783702/11683. — GSerg, Sep 08 '19 at 19:07
@GSerg, I don't understand how anything you said has anything to do with the question. @mehpir, simplest solution I can come up with is decorate the action with `[HttpPost]`, which will prevent any GETs from accessing the page, which is what I think you mean by direct access. I also assume that you're POSTing to the Payment page. Alternatively, you could do a `RedirectToAction("Customer")` in your Payment action. This would probably require you to examine any state you're passing to the action if it's valid or not, and redirect if it's not. — Gup3rSuR4c, Sep 08 '19 at 21:04
@Gup3rSuR4c `RedirectToAction` instructs the browser to go to a page and gives the URL. A malicious user can intercept the header and navigate to the page manually at any time without visiting the previous pages first. It does not matter if it's get or post because it's equally easy to forge. To my understanding, the OP is asking how to prevent that, so that the payment URL is not accesible unless called from the customer page. — GSerg, Sep 09 '19 at 06:40
OP was pretty clear in his question. He wants to prevent users from directly typing the URL to the Payment page, which is a GET request. Decorating with HttpPost stops that. Guarding against malicious hacking users like what you’re referring to is out of context. While a valid concern, it’s not what the OP asked for. Guarding beyond that could mean anything, such as data validation in Payment, user authentication, encrypted tokens from Customer page with Data Protection API, so on and so forth... — Gup3rSuR4c, Sep 09 '19 at 13:22

score 0 · Answer 1 · answered Sep 09 '19 at 02:52

You could create a filter as below :

 public class NoDirectAccessAttribute:ActionFilterAttribute
{
    public override void OnActionExecuting(ActionExecutingContext context)
    {
        var canAccess = false;

        //check the refer
        var referer = context.HttpContext.Request.Headers["Referer"].ToString();
        if(!string.IsNullOrEmpty(referer))
        {
            var request = context.HttpContext.Request;
            var rUri = new System.UriBuilder(referer).Uri;
            if(request.Host.Host==rUri.Host && request.Host.Port==rUri.Port && request.Scheme==rUri.Scheme)
            {
                canAccess = true;
            }
        }

        // ... check other requirements

        if (!canAccess)
        {
            context.Result = new RedirectToRouteResult(new RouteValueDictionary(new { controller = "Home", action = "Index", area = "" }));
        }
    }
}

Then you can apply NoDirectAccess Attribute to specific Action

[NoDirectAccess]
public IActionResult Privacy()
{
   return View();
}

So all it takes to work around this [protection](https://en.wikipedia.org/wiki/Security_through_obscurity) is to supply the correct `referer`. — GSerg, Sep 09 '19 at 09:17

How to disable direct access to a view from url?

1 Answers1