I need to know if someone navigated to a specific page of my app using the URL bar or if they clicked a link to get there.
I want to prevent users from being able to use the URL bar to navigate to some pages.
The issue is I cannot use HTTP referrer because my app doesn't load a new page when the URL changes. It just loads new data on the page so my referrer is always the login screen. Also there are various triggers that change the URL to load this data automatically so I would need to know for sure the user specifically typed in the the url bar and hit enter.
Is there any other way of knowing the user entered something from the URL bar so I can block the request?
So you’re saying your page loads HTML files dynamically from the server using a JavaScript API such as fetch, then uses the JavaScript History API to update the URL with the name of the HTML file that was loaded? So the first URL is /page?name=logincheck.html, and then it changes the URL to /page?name=thetool.html after performing the login check, without the page reloading?
If that’s how your app works, theoretically you could disable the URL rewriting – the app can still know what page it is on because the JavaScript can save the current page to a variable. Then users would never see the URL with thetool.html that bypasses the login check. But this setup will not protect you from a malicious hacker who is able to guess that thetool.html is a page that exists.
If you want to prevent people from loading a specific page, the correct place to check for this is on the server-side. If you did the security checks in JavaScript, a malicious user could tell their browser to ignore that JavaScript, and run their own JavaScript instead that doesn’t do the check.
How to check on the server side whether someone has logged in depends on what server software you are using (Apache Server, a Java Spring MVC app, a Ruby on Rails app) and how your current login page currently tells the rest of your software that the user has logged in (a cookie, a row in a sessions table in a database, a JSON Web Token saved to local storage). I can’t give instructions without knowing the software and authentication method you’re using, but I can tell you it’s possible.
In general, logging in should both tell the server to create a new user session, and save a cookie in the browser referencing that session. Whenever a browser requests a protected page, the server software should first check if a session cookie was sent, and if the session cookie corresponds to a currently-valid session. If it does not, the server software should send an empty page with the 403 Forbidden status code instead of the actual page.