|How to determine REFERER reliably|
| 5:26 pm on Sep 22, 2009 (gmt 0)|
For a subscription based website I need to validate where the request is coming from. What is the best way to do this?
For example if I give a site abc.com a REFERER parameter so that traffic coming from them to my site will have advertising turned off. All that a rogue webmaster has to do is do a view source and use the same referer_id to spoof my site.
I am looking for a nice/clean/lightweight solution to this problem. I'm confident it is something that has been solved millions of times perhaps even by google analytics. I am told that HTTP_REFERRER is easy to spoof, is that true?
| 6:04 pm on Sep 22, 2009 (gmt 0)|
So forget referrers and client-side code... What actual problem are you trying to solve? How critical is it that the solution work 100% of the time?
I can't really think of any 100% solution unless the referring site is willing to use a script to 'handshake' with your site behind the scenes, get an encrypted 'key' from your server, and append that to the referred URL given to the visitor about to click on your link. This would put a fairly heavy load on both of your servers, though, because the key would be requested whenever the referring page was loaded, regardless of whether the visitor ever clocked through to your site. And you would have to validate that key when received with a request.
All in all, I think I'd look for a completely-different plan, like separate pages for your referrering partners to link to. But then, anyone could link to those pages as well... So I doubt that this problem has been solved "millions of times" because referral-based functions cannot be reliable unless they're from domains that you fully control.
| 6:10 pm on Sep 22, 2009 (gmt 0)|
Umm.. thanks for your considered response.
- I'd be ok with a less than 100% solution.
- I can put a JS script on the other server too (but worry abt the load on both servers - as u rightly pointed out)
The problem I am looking to solve is really suppressing advertising for 'premium' customers.
| 7:05 pm on Sep 22, 2009 (gmt 0)|
If your premium customers have accounts (login username and password) on your site, then use a cookie that is set when they log in, and thereafter suppresses advertising. Really, this control mechanism needs to take place 100% within your own domain.
If you are willing to put up with approximately 33% of your incoming "premium customer" referrals seeing ads, then the referrer-based method may be good enough. Otherwise, some other approach is needed.
| 7:10 pm on Sep 22, 2009 (gmt 0)|
How easy is it to spoof HTTP_REFERER so that some percentage of non-premium members can see premium content?
| 7:13 pm on Sep 22, 2009 (gmt 0)|
Also cookie based approach for premium content does not work in our case. Perhaps a better analogy would be to use affiliate marketing: wherein if someone comes thru a particular link then they can see premium content (of course the affiliate never want to use someone else's id and givem them credit ;) )
| 7:24 pm on Sep 22, 2009 (gmt 0)|
It's not easy for Joe-average surfer to spoof the referrer. But if your content is worth the effort --valuable enough-- then you will encourage some percentage of your visitors to go seek the tools needed to do it. They're not hard to find.
In affiliate marketing, the affiliate identifies himself via the requested URI so as to get credit from you. After validating the affiliate ID, you could then set a cookie to prevent your ads from showing. It's pretty much either that or require your premium visitors to login (HTTP cookies and HTTP authentication headers are sent to your server with every request from the browser).
Maybe someone else has more or better ideas, but I've posted all of mine short of magic or divine intervention...