If you goals are simply;
+ To support Url-based state (i.e. no session state dependencies), but
+ To prevent normal users from jumping straight to a page
One possibility is;
+ Create a frameset with one 100% by 100% frame, which contains your normal
site
+ Add some js to your regular site pages that check for the existance of
the frame
This basically hides navigational hyperlinks from the user (they only see
the entry page link in the browser's url bar). If the user does a view
source and gets the page Url, or does a rt-click add to favorites, they
still won't be able to execute the Url directly without the frame.
Fairly easy for a techie to circumvent but it requires more technical
knowledge than your average user possesses. At least it offers a mild
deterrent.
You could also do more complex things like;
+ /index.aspx - the site entry page. Creates a GUID, stores it in a
session var, redirects user to /home.aspx
+ /home.aspx - the site home page. A frameset, but which retrieves the
GUID from the session var and stores it in a js-accessible location
(possibly a public var to the page, or in a js function, or as a custom
attribute to <BODY>, etc.)
+ /??? - internal site pages, the ones you're "protecting" from direct
access. Normal ASPX pages, but they include a .NET-rendered js chunk that
compares the session var GUID to the GUID in the frame. If they don't
match, or there's no frame, redirect back to /index.aspx. You could, no
doubt, implement this as a drop-in control.
You could further private-key-sign the GUID that's rendered in the frame,
and on test, verify the signature to ensure the GUID was issued by the
server. Silly, probably overkill, but I'm just throwing ideas at the
markerboard to see what sticks for you.
All the best,
/// M
"Peter Morris [Droopy eyes software]" <pe**@not.this.or.this.droopyeyes.com>
wrote in message news:OD**************@TK2MSFTNGP15.phx.gbl...
What about each link on your page having a guid instead of an id? The
true ID could be stored in Cache[] and set to expire in 5 minutes. That way
the referring page would not have the real ID, and the destination page could
check that the Cache[] item exists before displaying.
Probably a crap idea, but it was at least an idea :-)
--
Pete
====
ECO Modeler, Audio compression components, DIB graphics controls,
FastStrings
http://www.droopyeyes.com
Read or write articles on just about anything
http://www.HowToDoThings.com
My blog
http://blogs.slcdug.org/petermorris/