ASP .Net Web.config

Question

In my ASP .Net Application (Not MVC, Just ASP .Net) I have several web forms and need to restrict users from directly accessing to several web pages.

But in the application links from other pages and according to the functionality of application, should be able to redirect(Response.Redirect or Form submission in post or get way) to those pages but strictly not directly entering url in to browser and access them.

I have tried the following in those page load events (In which needs to restrict direct access) and working really fine.

if (Request.UrlReferrer == null)
{
     Response.Redirect("~/Index.aspx", true);
}

But the problem I've got is I am relatively new to ASP .Net and wonder if this is the best way to do this.

1). Mainly I searched but needs to know if I can get this done using the web.config file. If so would be grateful if someone can explain how the web.config file should be to get this done...

2). Also I want to redirect user if he enter wrong URL within the site hosted domain name... For that I did the following in the web.config but wonder if this is correct. Thanks...

<customErrors mode="On" defaultRedirect="~/Index.aspx">
    <error statusCode="404" redirect="~/Index.aspx" />
</customErrors>

Answer 1

You can add this to your web.config file to restrict specific users:

<authorization>
<allow users="user1, user2"/>
<deny users="?"/>
</authorization>

<location path="AccessDenied.aspx">
 <system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>

On your C#, you can use Response.Redirect

protected void Application_EndRequest(Object sender, EventArgs e)
{
    if (HttpContext.Current.Response.Status.StartsWith("401"))
    {
        HttpContext.Current.Response.ClearContent();
        Response.Redirect("AccessDenied.aspx");
    }
}