This sounds like you're thinking about HTTP referrer-based access control, which is not reliable enough to use for commercial applications. Some clients (browsers, robots, etc.) provide referrers, some don't. Some clients connect through proxies that drop the referrer headers, and some don't. Some clients make it very easy to spoof a referrer, and some don't. In short, the referrer ranges from blank, to valid, to fake, and so it's not really usable where your fund$ are concerned.

Doesn't this service offer a better way to indicate payment/authorization to your site?

Jim

The site is built on the joomla cms. I cant find any decent payment plugins for joomla so the best idea i could come up with was the "join now" linked to clickbank, then the clickbank thank you would link to the registration for members area page. I figured that the only way to get to the registratin page would be from the link on clickbank? Thought I remembered seeing a way this could be done on the adult site forums or somewhere but cant find it now.

All im looking for is a way to protect the registration page from any direct access except from a specified url? Any suggestions, Im stuck dead in my tracks now lol

thanks

You'll need some way to set and check a cookie that indicates they've been through the payment process, or better yet, a 'callback' function so that a script on your server can access the payment gateway and verify payment.

I'm speaking in generalities here, because I've never used that kind of service. Hopefully, someone with more experience with such things will check in here. I just wanted to warn you that referrer-based access control is not reliable enough to depend on where money is concerned. It works 'almost well enough' for protecting images against hotlinking, but certainly not well enough for a payment-based site to stay out of legal trouble.

Jim

1. Make the order scripts, in the order script you then post to the clickbank cgi or whatever format they use.

at this time they should respond via ok or denied
so you inform client or redirect

2. you get the post back to do whatever proccessing needs to be done... I.E. affiliate tracking, adding of information to database etc. This is what you protect.
Clickbank will only call it from certain ip or sets of ip's you allow access to this script only to clickbank's ip's

They probably have a special field for CLIENT's ip address since now your server might be calling their
payment gateway, so your IP will be in the system for cc check, so if this field is present, it will override with clients ip for advance fraud check

Hope that is some insight, best to ask them the best way, normally and especially if you are a proven seller, they will have stuff for you, such as scripts etc. that they won't just give out to anyone.

Hope this helps

Regards,
Bugmaster

[edited by: Woz at 6:23 am (utc) on Jan. 27, 2006]
[edit reason] No SIGs please, see TOS#13 [/edit]