Without having to change this one VB.NET Web Application that I'm modifying,
I added the following code at the first line in the Page_Load()
If Context.Request.ServerVariables("HTTP_REFERER") = "" Then
Response.Redirect("unauthorized.aspx")
End If
When you come from a aspx, asp, etc.. page (including a postback), the
HTTP_REFERER contains the page you're coming from (as well as the server
name).
If the user cuts and pastes the following URL and pastes it into the URL of
there browser:
http://www.server.com/somepage.aspx?v1=one&v2=two
HTTP_REFERER will then contain nothing because the user is coming from a
browser and not being redirected from a page on your
www.server.com server.
On note though...
This will only deter regular people from messing with the URL from a
browser.
Programmers can just write a program to fill in the HTTP_REFERER or some
other similar method to fill in the HTTP_REFERER.
Another thing to do to is use a POST instead of a GET method.