CODEWITHSUNDEEP
phpsecurity
user254875486
user254875486

Reputation: 11240

Maximum possible security with a fixed link

First of all; I'm aware that this question is strange and I will probably get a lot of downvotes for it, but I still need some more information...

Here's the problem; The company I work for maintains a webshop (PHP, MySQL, IIS). The webshop is going to give a discount to people how came from some other, third party website. After logging in to the third party website, the users are presented with a static link to the webshop (the link can contain some sort of code) [UPDATE we can provide the link, that's all we can do, we have no privileges whatsoever on the third party server]. If they use that link to go to the webshop they have to get the discount. If a user uses another link, or goes to the webshop directly the shouldn't get the discount.

I was thinking of using PHPs HTTP_REFERER to check if the users comes from the third party website, but that is not reliable. Is there another way to make this a bit more secure? I'm aware that we won't be able to create something that makes it completely safe, but we should at least do something that keeps the user from posting the link to a forum or sharing it by e-mail.

I hope you can help me, please don't burn me down for having to implement the request of a customer. I know this is stupid, I just need to do it and I want to do it in the best way possible.

Upvotes: 1

Views: 86

Answers (4)

Gustav
Gustav

Reputation: 2940

Here is a suggestion:

Your affiliate-site generates a unique-string which is embeded in the link to your site.

$link=md5($_SERVER["HTTP_USER_AGENT"].$_SERVER["REMOTE_ADDR"]."Very secret string");
echo '<a href="http://yoursite.com/ref='.$link.'">Claim your rebate now!</a>';

On the receiver side:

if($_GET["ref"]==md5($_SERVER["HTTP_USER_AGENT"].$_SERVER["REMOTE_ADDR"]."Very secret string")){
    applyRebate();
}

Upvotes: 0

Daniel Pereira
Daniel Pereira

Reputation: 1785

Have the link call a javascript function that forms a url to your PHP script that passes the window location href as a parameter. Then in the php script, test that the href matches the expected origination point.

Upvotes: 0

Alex Howansky
Alex Howansky

Reputation: 53573

...we should at least do something that keeps the user from posting the link to a forum or sharing it by e-mail.

Not really. The best you can do is use a combination of HTTP_REFERER and a secret code embedded in the link, but the former is simple to fake and the latter is simple to copy. You're essentially asking to publish a phone number without letting anybody know what the phone number is.

Edit: If you've got some influence over the remote 3rd party site, you could make a joint agreement to change the secret code on a regular (daily?) basis. Or better, if you can both do this programatically, then you can set the code expiry to a very short time (e.g. one minute) -- this would make forum postings useless.

Upvotes: 2

Rijk
Rijk

Reputation: 11301

First of all, I don't think it's a stupid question at all :)

The HTTP_REFERER approach doesn't sound too bad.. You're right it's not completely waterproof, but you have to rely the user's browser to tell you where he's coming from anyway - there's no other way. I'd say a combination of a special link and checking the HTTP_REFERER on your end should do pretty good.

Upvotes: 0

Related Questions