Hi

I am looking for advice on web page security. My question is best explained by a scenairo, if you have an application where a user has to fill in a form over a number of pages, the best security is to stop a user from skipping pages, or trying to get into pages before completing others. I am not talking about back button the pages themselves, the question I need help with is how do prevent users from trying to get to these pages before systematically completing others, or trying to go back a page to download a piece of music for free. Is there a way of expiring a page or set a session variable?

Thanks

SessionVariable would work in the sense

Session["pageCheck"] = 1;

Then increment and check the total on the respective page.

Alternatively you could check the Page.Request.UrlReferrer to see if they came from the right place, remeber you will have often have the post data too therefore you can check the values on the previous page. Or use, Page.PreviousPage.

Hope that helps.

Set a cookie in each page and check the cookie on subsequent pages in page load.

Although a cookie works too, be sure to encrypt the cookie otherwise it would not be deemed secure. Personally, I do not like this approach as not all users have cookies enabled, or find them annoying. The cookie will most likely reside when their Session ends, this would have to be handled as it could cause potential unexpected behaviour.

Well pointed out jsiddharthj, I'm not saying it's wrong. I am just stating as to why I wouldn't use cookies for such.

Hi

Thanks for your reply.

I am interested in your answer for using Request.UrlReferrer and Previous Page, where it would make sense to use what .Net has provided rather building your own. Do you have any examples or code snippets on their use and how I can use it?

Thanks

Try this, 

         bool bRedirect = false;

            if (Request.ServerVariables["HTTP_REFERER"] == null)
                bRedirect = true;
            else
            {
                string strReferrer = Request.ServerVariables["HTTP_REFERER"].ToString();
                if (strReferrer.Equals(string.Empty))
                    bRedirect = true;
            }
            if (bRedirect)
                Response.Redirect("errorpage.aspx");

The strReferrer will have the page from which the request came . you can use this for processing

Hope this helps

It's hard to give an example specific to what you may need. Therefore, I would suggest readiong the following article on cross-page posting. Simply put it enables you to access the PreviousPage, typically when using Server.Transfer().

http://msdn.microsoft.com/en-us/library/ms178139(VS.80).aspx

I actually threw something together, although this does require the PreviousPage to be available. It is simply for reference as it is untested. I have created a new Page you can derive from.

/// <summary>
/// A sequentially aware page. 
/// </summary>
public class StrictAccessPage : Page
{
    public event EventHandler<EventArgs> InvalidReferrer;
    public event EventHandler<EventArgs> RevistAttempt;

    private int _pageOrder = -1;
    private bool _allowReturn = true;

    /// <summary>
    /// Gets the file name of the page
    /// </summary>
    public string FileName
    {
        get;
        private set;
    }

    /// <summary>
    /// Specifies the index of the page, this way the page. The initial page MUST start with 0;
    /// </summary>
    public int SequentialNumber
    {
        get
        {
            if (Session[FileName + "PageOrder"] != null)
                _pageOrder = (int)(Session[FileName + "PageOrder"]);
            return _pageOrder;
        }
        set
        {
            if (value < 0)
                throw new ArgumentOutOfRangeException("PageOrder cannot be less than 0");

            Session[FileName + "PageOrder"] = _pageOrder = value;
        }
    }

    /// <summary>
    /// Sets wether the current page should be allowed to be revisted per session.
    /// </summary>
    public bool AllowReturn
    {
        private get
        {
            if (Session["AllowReturn" + FileName] != null)
                _allowReturn = (bool)Session["AllowReturn" + FileName];

            return _allowReturn || !Page.IsPostBack;
        }
        set
        {
            Session["AllowReturn" + FileName] = _allowReturn = value;
        }
    }

    protected override void OnInit(EventArgs e)
    {
        base.OnInit(e);
    }

    protected override void OnLoad(EventArgs e)
    {
        //Get the page's file name
        FileInfo fInfo = new FileInfo(Request.Url.AbsolutePath);
        this.FileName = fInfo.Name;

        if (!AllowReturn)
        {
            OnRevistAttempt(this, e);
        }

        if (this.SequentialNumber > 0)
        {
            StrictAccessPage previousPage = PreviousPage as StrictAccessPage;

            if (previousPage == null || this.SequentialNumber - previousPage.SequentialNumber != 1)
            {
                OnInvalidReferrer(this, e);
            }
        }

        base.OnLoad(e);
    }

    public virtual void OnInvalidReferrer(object sender, EventArgs e)
    {
        if (InvalidReferrer != null)
            InvalidReferrer(sender, e);

        Response.Redirect(Page.Request.ServerVariables["HTTP_REFERRER"] ?? "~/Error.aspx");
    }

    public virtual void OnRevistAttempt(object sender, EventArgs e)
    {
        if (RevistAttempt != null)
            RevistAttempt(sender, e);

        Response.Redirect(Page.Request.ServerVariables["HTTP_REFERRER"] ?? "~/Error.aspx");
    }
}

Sample usuage...

public partial class Default : StrictAccessPage
{
    protected override void OnInit(EventArgs e)
    {
        this.SequentialNumber = 0;
        this.AllowReturn = false;

        base.OnInit(e);
    }
}