Objective

Restrict direct URL access to all pages but Logon.aspx ensuring that a user must be referred to every other page.

Driver

The driver behind this requirement is our internal security department. They feel that this is the only acceptable solution to ensure the application is always secure.

Problem

The problem is two-fold, so let’s deal with the first one. If a user is logged in and on a page they can copy the URL, open up a new tab, close the previous tab, paste the URL, and the session is still alive. I understand why this is happening but they are saying we need to keep that from happening. And please don’t ask me why, if I could answer that I probably would be convincing them otherwise.

The second part of the problem is that the way the application was originally written (insert really angry face here) two of the web forms are reused for enrollment. This specifically means that those pages are accessible even if the user isn’t logged in. However, we have to make it so that they were specifically referred to those pages through the process flow and thus not directly accessible.

As an example for the aforementioned paragraph, consider the following. The user copies the URL to one of the shared forms, opens up a new browser, and pastes in the URL. The session is dead but the form displays for the purposes of enrollment. However, this is problematic because they haven’t accepted the terms and they have broken the already fragile flow.

What have I tried?

Honestly, nothing. I’m up here panning for ideas because the best I’ve seen thus far Googling is stuff surrounding ensure the user is logged in first. Some use cookies and others use the membership provider, but the fact that the user is logged in already doesn’t address either of my problems.

I look forward to hearing from you all!