actually i just want to show main address of my site like "http://localhost/website/" and want to keep this address for my all of views(security Purpose so that after login no one can navigate through address bar not also for those pages for which person is authenticated person should only supposed to navigate from menus) which i will call from controllers i don't want to show my controllers name and also not query string at any places not even at status bar and properties of page.
4 Answers
Here's a tortured way you might be able to do what you're asking for, but I can assure you it won't give you what you want. Specifically, it wouldn't protect you from any but the most technically incompetent of attackers:
- Require all requests other than the first GET request to /website to be a "Post" to /website. All requests will need to contain a hidden form element that provides equivalent information to your application. This includes all hyperlinks internal to your application. That won't be fun.
- You'll need to replace the default routing handler using a custom implementation of IRouteHandler so that it inspects the HTTP RequestContext to get the form data (or JSON/Xml request) for the content. IRouteHandler will need to return an appropriate handler, possibly a wrapper around MvcHandler, in response to the GetHttpHandler method.
- You will probably need to carefully avoid using most of the built-in helpers for generating Urls or Ajax requests for existing controllers and write your own.
So, after solving whatever complications you discover while attacking those problems, what will you have? A really nonstandard web application that takes advantage of very little of the built-in features of Asp.Net MVC, or the idioms that have been well established in HTTP over the many years it's been around. You'll be vulnerable to any replay attacks you would have been subject to without URLs being visible; the only difference is that your application will be less convenient to your users, since they won't be able to use favorites/bookmarks.
The most sensible alternative is to use either a Restful URL Routing scheme, or the default routing scheme that you'll get with the default routes, then learn to use Authorization action filters.
Keep in mind that just because something doesn't show up in the URL or QueryString doesn't mean it's unavailable. It's just part of the body of the HTTP request. With the help of something like Fiddler, a client can even inspect SSL traffic to your server. That's why you'll need a more complete solution than just making the URLs inflexible.
You want to learn the "happy path" to developing web applications. If you're trying too hard to get around really basic conventions of the environment you are developing in, there's probably already a better way to solve the problem you think you have.
Comments
Since any trick you try will probably be figured out by someone determined enough, why not just use a frame/iframe if you're hiding it from an average user?
Comments
Another hack for this is to create a page with a iFrame that hosts the web application, so that the main frame pages URL never changes.
eg.
<html>
<body>
<iframe src="http://localhost/myapp/controller"/>
</body>
</html>
Comments
add an access filter in MVC, in that access filter check the urlreferrer of the request. If urlrefferer is null[request came directly from address bar], take appropriate action.
[Authorize(Roles = "role1,role2")]