验证点击是否来自特定网站

Question

I'm building a custom authentication process where each user who came by clicking the link (containing unique hash) at the website B is automatically logged in on website A. The login process is not a question.

The question is about security: how to ensure that the user came from the specific website and not from any other? I can validate a variable $_SERVER['HTTP_REFERER'] but it can be easily spoofed. Is there a way to get the referrer IP (not the client machine IP which is in the $_SERVER array) or any other way to secure this process?

Answer 1

Suggestion 1

When the link is clicked on the first website store the time and user ip in a database.

When the user request is then made on the second website it can take the time and user ip and ask the first website if the link was clicked by that ip recently.

Suggestion 2

The link on the client's site could link to a page on their site that uses PHP's file_get_contents() to show the linked page. Because it was PHP that requested the linked page a user can't spoof the document.referrer. I have no idea how this would affect cookies, external references and the like.

It definitely breaks relative links.

Change the link from

`<a href="https://your-website.com/page/to/link/to">Click Here</a>`

to

`<a href="https://client-website.com/special-page?linked-page-url=https://your-website.com/page/to/link/to">Click Here</a>`

Special page on client's website:

<?php
$linkedPageUrl = $_GET['linked-page-url'];
var_dump(file_get_contents($linkedPageUrl));
?>