How to enforce a URL to be visited before another?

Question

I have two URLs, A and B. I want to prevent users from directly accessing B, and would like to enforce a 'rule' such that one can only access B after visiting A. More specifically, the only route to land on B is via a redirect on A.

I was thinking to use some js in B to check document.referrer, if it is not A then redirect the user out of B. However, this may not work in my case as B is reached using a redirect, in which case document.referrer would not give me A.

I would also prefer, if possible, not to have to do the check using js after the content of B is loaded, which would help saving some bandwidth.

Is there any effective and robust method for doing this?

Answer 1

If you want to avoid the loading the content of B when A has not been viewed yet, then your server needs to set a cookie when the viewer views A and when your server is asked for B, it needs to check for the existence of the proper cookie and NOT serve up the B page contents unless the desired cookie from A is present. You don't describe what you want to happen if the user goes to B when they haven't yet been to A, but your server could set a redirect to A or could serve up a message that the user hasn't done things in the correct order and give them a link to click on.

Conceptually, this is sort of like requiring a viewer login on page A before you will allow the viewing of page B. The login (setting of the cookie) can be automatic after viewing page A or you can require the viewer to take some action on page A (provide credentials, click a button, etc...) before the cookie is set that allows access to page B.

Answer 2

You should have page A set a cookie, and page B check for the existance of the cookie. It is not foolproof nor 100% robust, but it is the accepted method for enforcing such restrictions in stateless applications such as the web.