Ok, here is the problem.
I have a facebook application where users can earn points for completing surveys. When the user has completed the survey, at the end of the survey a tracking pixel is fired to credit the users account. The pixel loads a script like the one below:
http://www.mysite.com/fb/add-credit.php?userid=<fbid>
I want to secure this from outside access. I have thought about using referrers, but someone could easily sniff the traffic, and fake the referrer.
I also thought about this. When the user clicks the link to complete the survey I will create an entry in the database with a MD5 timestamp as the token. If the user was to then try and credit their own account by going direct to the add-credit script they would need to know the exact timestamp.
Would there be any issues with the second solution?
When a client starts a survey, make an MD5Hash like so: take the IP Address & survey id concate and MD5 it, add all this information to the table. When the client get’s to the end of your survey, the image is called with only the survey ID, the image is a script that takes the survey ID as an arg in some fashion, and MD5s the IP address and survey id that are concated. It then checks to see if it can find an MD5Hash that matches this, if it does, give the client credit and clear the MD5Hash field to make sure the client does not get a double credit.