JavaScript is insecure because it too can be hacked to send whatever is needed to your server. HTTP Referer headers are unreliable because they can be spoofed, and because many "Internet Security" software packages, firewalls, and ISP caching proxies can suppress them -- usually without your visitor knowing anything about it.

So forget referrers and client-side code... What actual problem are you trying to solve? How critical is it that the solution work 100% of the time?

I can't really think of any 100% solution unless the referring site is willing to use a script to 'handshake' with your site behind the scenes, get an encrypted 'key' from your server, and append that to the referred URL given to the visitor about to click on your link. This would put a fairly heavy load on both of your servers, though, because the key would be requested whenever the referring page was loaded, regardless of whether the visitor ever clocked through to your site. And you would have to validate that key when received with a request.

All in all, I think I'd look for a completely-different plan, like separate pages for your referrering partners to link to. But then, anyone could link to those pages as well... So I doubt that this problem has been solved "millions of times" because referral-based functions cannot be reliable unless they're from domains that you fully control.

Jim

Umm.. thanks for your considered response.
- I'd be ok with a less than 100% solution.
- I can put a JS script on the other server too (but worry abt the load on both servers - as u rightly pointed out)

The problem I am looking to solve is really suppressing advertising for 'premium' customers.

Thanks.
--

In general, JavaScript doesn't run on servers, it runs on the visitor's machine (in the browser) as the browser displays the Web page. As a result, the JS code has already been downloaded to the visitor's computer, and can therefore easily be inspected and hacked. So don't use JS for anything even remotely "security-related," or anything that can affect the operation of your server ("how your site works").

If your premium customers have accounts (login username and password) on your site, then use a cookie that is set when they log in, and thereafter suppresses advertising. Really, this control mechanism needs to take place 100% within your own domain.

If you are willing to put up with approximately 33% of your incoming "premium customer" referrals seeing ads, then the referrer-based method may be good enough. Otherwise, some other approach is needed.

Jim

How easy is it to spoof HTTP_REFERER so that some percentage of non-premium members can see premium content?

Also cookie based approach for premium content does not work in our case. Perhaps a better analogy would be to use affiliate marketing: wherein if someone comes thru a particular link then they can see premium content (of course the affiliate never want to use someone else's id and givem them credit ;) )

It's not easy for Joe-average surfer to spoof the referrer. But if your content is worth the effort --valuable enough-- then you will encourage some percentage of your visitors to go seek the tools needed to do it. They're not hard to find.

In affiliate marketing, the affiliate identifies himself via the requested URI so as to get credit from you. After validating the affiliate ID, you could then set a cookie to prevent your ads from showing. It's pretty much either that or require your premium visitors to login (HTTP cookies and HTTP authentication headers are sent to your server with every request from the browser).

Maybe someone else has more or better ideas, but I've posted all of mine short of magic or divine intervention...

Jim