We are re-developing our buyonline functionality and we are doing it the RESTful way.
The process is a three step one and the customer is asked to enter data at each step.
Let's say the three URL's are;
/step1.aspx
/step2.aspx
/step3.aspx
Each step is pretty autonomous and don't require data from any of the other steps.
The question is how do I stop customers directly navigating to step2 w/out first completing the details in step1 given each step knows nothing about the previous step?
I know I can add a property to my object model telling me which step was the last one etc but doesn't that kinda break the whole REST principle?
I also don't want to check my model as to whether details in a previous step have been fileld in because again that violates REST principles.
I think I'm slowly resigning myself to a concept that I need (something) to tell me where I have been but I don't want that.
Should/Can the controller perhaps detect that the history doesn't contain the previous step placing control back to where I think it should be?
REST URLs are supposed to represent entities. e.g. books / orders / photos etc.
I think the confusion above is that you're trying to represent a booking sequence in REST terms as entities, and (of course) they're not. So the objects that your customers can select, their orders etc. may be usefully represented in this fashion. Other elements of the process shouldn't be.
You may argue that step 1 represents an address (for the sake of argument). But POSTing an address object is distinct from entering that data in a form and permitting navigation to/from related pages. That operation has a sequence or flow to it, and is conceptually richer than simply POSTing/GETing/DELETEing an address. You've illustrated this by arguing you want to prevent someone completing step 2 without completing step 1 etc.
When going from step1.asx to step2.asx, pass a query parameter that contains some key that tells the server that step1 was visited. For example, step1.asx has a href to step2.asx?whatever=a92jv29.
The "a92jv29" can be, for example, encrypted timestamp from the server. You can easily verify that it is valid (not expired and not from the future) in the server side. No need to store the state.
Your URL's could have better names, should as "terms.aspx", "registration.aspx" or whatever but that is strictly not necessary.