How can I prevent visitors accessing pages in my website even if they know the URL?

Hi,

I am creating a three step registration/feedback process where user has to fill up some details from Step1 through Step3.
[Please note that there is no authentication or login process, This feedback is anonymous so I cannot capture any user information].

There are 4 files

index.jsp //This is from where they have to start
step1.jsp
step2.jsp
step3.jsp

How can I prevent visitors accessing pages in my website even if they know the URL?

I don't want the customer to move to step1 to step3 without reading the index page
(A link is provided in index page to go to step1) as shown below

<a href="" onClick="window.open('step1.jsp',null,
    'height=screen.height,width=screen.width,status=no,toolbar=no,menubar=no,location=no,scrollbars=yes')">Click here to goto Step1</a>

But I have placed a Javascript to check whether the user is coming from index.jsp from this server or not. This works very well for Mozilla and Firefox but Internet Explorer returns a null value for document.referrer when pages are accessed in this manner (using window.open).

<script language="Javascript">

        //Provide a list of allowed sites
      var site1="http://localhost:8080/app/index.jsp";//Developer Machine, Only for testing purposes
      var site2="http://www.mysite.com/app/index.jsp";//Deployed Server

      if (document.referrer&&document.referrer!=""&&(document.referrer.indexOf(site1) >= 0||document.referrer.indexOf(site2) >= 0)) {
              //alert('Thanks for visiting this site from '+document.referrer); //Allow page to render or skip this alert
      } else {
              alert('You are not allowed to access this page directly, you will be automatically redirected to the page from where you have to start');
              window.location.href="index.jsp";              
      }  

</script>

I have 2 questions to ask

How can I make the above script work in Internet Explorer?
Is there an alternate way to implement this technology with JSP/Servlets?

My aim is not to allow visitors to access step1.jsp, step2.jsp or step3.jsp directly from the browser window(by typing the URL in Address bar/Location bar) even if they know the URL like this.

They have to follow the sequence : index.jsp -> step1.jsp -> step2.jsp -> step3.jsp

http://mysite.com/app/step1.jsp //This should not be allowed
http://mysite.com/app/step2.jsp //This should not be allowed
http://mysite.com/app/step3.jsp //This should not be allowed

Please help.Start Free Trial