First of all; I’m aware that this question is strange and I will probably get a lot of downvotes for it, but I still need some more information…
Here’s the problem; The company I work for maintains a webshop (PHP, MySQL, IIS). The webshop is going to give a discount to people how came from some other, third party website. After logging in to the third party website, the users are presented with a static link to the webshop (the link can contain some sort of code) [UPDATE we can provide the link, that’s all we can do, we have no privileges whatsoever on the third party server]. If they use that link to go to the webshop they have to get the discount. If a user uses another link, or goes to the webshop directly the shouldn’t get the discount.
I was thinking of using PHPs HTTP_REFERER to check if the users comes from the third party website, but that is not reliable. Is there another way to make this a bit more secure? I’m aware that we won’t be able to create something that makes it completely safe, but we should at least do something that keeps the user from posting the link to a forum or sharing it by e-mail.
I hope you can help me, please don’t burn me down for having to implement the request of a customer. I know this is stupid, I just need to do it and I want to do it in the best way possible.
Not really. The best you can do is use a combination of HTTP_REFERER and a secret code embedded in the link, but the former is simple to fake and the latter is simple to copy. You’re essentially asking to publish a phone number without letting anybody know what the phone number is.
Edit: If you’ve got some influence over the remote 3rd party site, you could make a joint agreement to change the secret code on a regular (daily?) basis. Or better, if you can both do this programatically, then you can set the code expiry to a very short time (e.g. one minute) — this would make forum postings useless.