Best Way to Validate Access

[n1concepts]

Hi,

 

I want to control a variable (decide whether to track click if coming from a specific site oppose to hitting the final site (destination) directly.

For example:

 

www.portal.com - this will be a management site that will redirect viewers to the the final destination based on variable info - for exmample $a=123 or $a= 567 - which would come in as www.portal.com?a=123 or www.portal.com?a=567

 

Note: 123 would redirect to www.abc.com?a=123 and/or 567 would redirect to www.xyz.com?a=567 with said variable(s).

------

 

My question is this: What is the best method to authenticate (both on) www.abc.com and/or www.xyz.com that the referred viewer came from www.portal.com?

I know about the super globals (HTTP_REFERER) but want to know if there are other (more) secure method to manage this interaction between external domains /websites?

 

Any insight on this appreciated - thx!

 

[xyph]

No. Cookies won't work cross domain. There's no reliable way to determine where someone has come from, from what I understand.

 

That would allow any website to view your short-term browsing history.

[n1concepts]

Yeah, that's the issue - passing data cross (external) domains. I know it can be done with $_SESSIONS but that's overboard for what I want to accomplish - it's not sensitive information so no problem using $_GET (appending to string to pass along).

 

My only requirement is that I want to acknowledge - from the receiving domains - that the redirect came from that one specific source (www.portal.com) and no other referral or the data capture won't be logged. Reason: this way, I can keep "direct" views from being logged as a hit <they have to originate or coming from www.portal.com>.

 

It looks like "HTTP_REFERER" the option - I will just match on that link.

[xyph]

The only way it would work with a session/token system would be if the two domains had access to the shared database/filesystem, and the token was passed in the URL.

 

www.xyz.com?a=567&token=*tokenhere*

 

Generally, sessions use cookies which can not cross domains.

 

HTTP_REFERER is the easiest way. Otherwise, you'd need a database both domains have access to, and generate/pass/confirm a token.

[n1concepts]

I think I may have a way - using Sessions.

Here's my thinking:

 

PHP makes a name/value pair available in a constant named SID if a cookie value for a session ID cannot be found. To that, I think I may be able to do something like this:

 

<a href="www.abc.com?<?php echo SID; ?>">Testing</a>

 

which should reach the browser as:

 

<a href="www.abc.com?html?PHPSESSIS=xxxxxxxxxxxxxwhich will be the encrypted session xxxxxx">Testing</a>

 

Note: I just have to ensure session_start() defined on the receiving page and this would then be recognized.

Of course, I'll set this as a automatic (timer) redirect but explaining in this format for discussion.

 

I will try this and advise - thx!

 

[n1concepts]

Actually, that was my next thought - I'm just going to setup a centralized MySQL db and use the token to validat the sessions.

Yeah, that's the best and certainly a secure method. Thx!