Welcome to WebmasterWorld Guest from 18.104.22.168
For example if I give a site abc.com a REFERER parameter so that traffic coming from them to my site will have advertising turned off. All that a rogue webmaster has to do is do a view source and use the same referer_id to spoof my site.
I am looking for a nice/clean/lightweight solution to this problem. I'm confident it is something that has been solved millions of times perhaps even by google analytics. I am told that HTTP_REFERRER is easy to spoof, is that true?
So forget referrers and client-side code... What actual problem are you trying to solve? How critical is it that the solution work 100% of the time?
I can't really think of any 100% solution unless the referring site is willing to use a script to 'handshake' with your site behind the scenes, get an encrypted 'key' from your server, and append that to the referred URL given to the visitor about to click on your link. This would put a fairly heavy load on both of your servers, though, because the key would be requested whenever the referring page was loaded, regardless of whether the visitor ever clocked through to your site. And you would have to validate that key when received with a request.
All in all, I think I'd look for a completely-different plan, like separate pages for your referrering partners to link to. But then, anyone could link to those pages as well... So I doubt that this problem has been solved "millions of times" because referral-based functions cannot be reliable unless they're from domains that you fully control.
The problem I am looking to solve is really suppressing advertising for 'premium' customers.
If your premium customers have accounts (login username and password) on your site, then use a cookie that is set when they log in, and thereafter suppresses advertising. Really, this control mechanism needs to take place 100% within your own domain.
If you are willing to put up with approximately 33% of your incoming "premium customer" referrals seeing ads, then the referrer-based method may be good enough. Otherwise, some other approach is needed.
In affiliate marketing, the affiliate identifies himself via the requested URI so as to get credit from you. After validating the affiliate ID, you could then set a cookie to prevent your ads from showing. It's pretty much either that or require your premium visitors to login (HTTP cookies and HTTP authentication headers are sent to your server with every request from the browser).
Maybe someone else has more or better ideas, but I've posted all of mine short of magic or divine intervention...