For a subscription based website I need to validate where the request is coming from. What is the best way to do this?
For example if I give a site abc.com an REFERERE parameter so that traffic coming from them to my site will have advertising turned off. All a wiley webmaster has to do is do a view source and use the same token to spoof my site.
I am looking for a nice/clean/lightweight solution to this problem. I'm confident it is something that has been solved millions of times perhaps even by google analytics. I am told that HTTP_REFERRER is easy to spoof, is that tue?
Suggest you post this in either the Apache forum or one of the other Webmaster World forums related to scripts.
You might also try searching the webmaster World archives (via google)for both cookies and session ID's.
Refer's are not a sure fire method, however the aforementioned capabilities would reduce the liklihood of decption, as would header verfication. There are numerous threads at Webmaster World (and across the internet) on these methods.
It's not as "simple" as you'd like, however it may be accomplished.
While referers can be spoofed, its isn't easy or trivial. Its beyond your average webmaster. Third party webmasters can't look at your code to see if you are checking the referer - this happens within your PHP code (for a LAMP solution) and doesn't show in the output HTML (they could look at the page when they come from different sources and note the change and infer why it happens, of course).
And, no, wilderness doesn't mean abc.com sets a cookie - you can't read 3rd party cookies. On the first page view *your* code notes 'referer = abc.com' and sets a cookie to indicate same throughout the session.
Its possible you are asking too advanced a question for your level - try doing some more reading and experimenting on your own.