If they have a static IP you can limit access based on IPs. Have a list of acceptable ones in a database table and reject all the others.

...and Welcome to WebmasterWorld :)

Thank you for the welcome.

Could I also base it on the URL Referer, or is this something which can be tricked or which not always works?

Referrer can be easily spoofed, but I still believe checking referrer would protect in most cases.

I don't know if you have found a solution to this yet, but here is an idea that may work. Since you worked to the put your code together and you don't want to give it out...could you include a link to your site so you get credit, and "encode" your source? If your script isn't large, other site owners could easily download it and put it on their own server(if they are interested enough they can get someone to help them do this). I wouldn't imagine that it would use much bandwidth, but it would be their responsiblity instead of yours. If they viewed the source code it would be encoded so they wouldn't be able to remove your site link or see your code. Good luck. Brad

Another option may be to require a password to enable people to use the script. So they could post the password to a page that then either lets them in to the script or gives them whatever message you want to supply.
If you then charged by the number of uses people are unlikely to give out there password when they will pay for others to use it. This will mean that everything will run on your server, so they never need to see the source code, so no encryption needed.

The other option is to just sell the script to people then offer support as the person who wrote the script. Others will copy the script but then eventually people will break through your security anyway. So it all depends on how much time/money you want to spend protecting the code or just sell it on and offer support for it.

Hi,

still haven't found a solution but have a couple questions:

1. Referrer: I believe the referrer depends on the client browser, right? So, the user can spoof the referrer but not the website owner who puts my tool in an Iframe. If I check the referrer then the users who correctly show the referrer could get another image served but any users who spoof their referrer or block the referrer would get to see the original. Is my understanding correct so far?

2. IP address: Is this also based on the client browser as above or is this foolproof, i.e. my PHP will always get to see the IP address of the website which uses the Iframe?

Thanks

Thanks for the other suggestions. Encoding the source code and handing it over to clients is not an option as my code is written in PHP and the clients use mainly ASP, plus I really don't want to give out even encoded code.

The clients are putting the tool on their own websites to drive a bit of traffic, so it's freely accessible to anyone. Therefore, the password suggestion is also not an option.

But thanks for the suggestions.

You should be able to have some javascript on your page that can check to see if the iframe's parent is a whitelisted site, no?

The IP address you are going to get is the IP of the browser, not the framing site.

The referrer, keep in mind, is sometimes blank even for legitimate requests. Why? Either it is privatized intentionally by a browser add-on, or sometimes browsers are just flaky and don't always send it. For this reason, usually when people check the referer they allow blank referrers to get the goods, too--in other words, default toward leniency. Only block access when the referrer comes back showing the wrong site. But you can see, using the referrer is not that great of a solution.

Other ideas are more complicated... publish your calculator as a web service, for example, or utilize AJAX for display rather than an IFrame.

This javascript code should work:

var S=['www.example.com','example.com','dev.null'];

function chk(l) {
for (var i=0,s;s=S[i];i++) if (l==s) return 1;
}

if (window!=top) {
var l;
if (document.referrer && (l=document.referrer.split('/')[2]) &&!chk(l)) top.location=window.location;
}

[edited by: Achernar at 12:25 am (utc) on Nov. 7, 2007]

Thanks, that js code is really useful. I went with that one now. Just one thing, I tried to modify it to

if (top.location.href && (l=top.location.href.split('/')[2]) &&!chk(l)) top.location.href="http://www.mysite.com"

but that didn't seem to work 100%. Any reason why?

Your browser doesn't have the permission to read top.location from a frame (or another window) when "top" is not of the same domain. That's why in my example, a first test is done by comparing "top" and "window". It allows to know if your document is the top element or not. Then you can decide to modify top.location - but still can't read it (only write).
In your original question you stated that you would like to only allow some sites. The only way to know which sites is framing your page is by looking at the value of document.referrer of your frame. It is the equivalent of reading top.location.href if you were allowed to.