Vulnerability in EPiServer.Forms
I have now tried to implement the Criterion myself, bascially using the decompiled code from EPiServer.Personalization.VisitorGroups.Criteria.ViewedPagesCriterion. It turns out that the criterion subscribes to a VisitedPage event which is supposedly raised when a page is visited. By debugging, I have determined that the event subscription is successful, but the event handler is never called. This means that, for some reason, EPiServer does not raise the event.
I tried to subscribe to the StartRequest event instead, and in this case the handler is called. This begs the question: Why is the VisitedPage event not raised when visiting pages?
In MVC the event is raised from an action filter called ViewedPageCriterionAttribute meaning the controller serving the page should have that action filter attribute. If your controller inherit EPiServer.Web.Mvc.PageController<T> you will get it otherwise you need to decorate your controller with the attribute.
In webForms you need to have your page template inheriting from PageBase<T> (or more likely TemplatePage<T>)
Thanks Johan, that was indeed the issue. I used the attribute and the event is now fired as expected.
However, now I am facing a different problem, I have created a seperate thread on it here: http://world.episerver.com/forum/developer-forum/EPiServer-Commerce/Thread-Container/2015/5/wrong-page-link-from-criterioneventargs-when-visiting-commerce-pages/