I want to implement a referral program for my SaaS product.
The partner will have a link on their website that will direct their user to my signup form:
domain.com/referral/201030
"201030" being the member id from the partner site.
I want to make sure the page request came from my partner site,
I know I could check $_SERVER['HTTP_REFERER'] but that is not secure.
Is there a way I can check the IP address of the site referring the user to my webpage with PHP?
When do you need high security?
For an API for example, you want to track the incoming traffic and make sure only authenticated clients can access the API. This needs higher security standards and exchange of public keys and secrets.
When not?
A referral program doesn't need this kind of security.
The more traffic you have, the better for you. You don't care where the lead is coming from. When I send my partner program link to someone via messenger, there is not even a HTTP_REFERER.
Is it even possible?
It is very difficult impossible to make sure where the user is coming from without serverside interaction, obfuscation and dynamic links.
Any chance?
The only way, using a static link, is $_SERVER['HTTP_REFERER']. You can downvote the answer now, but it doesn't change the fact that there is no way, with a simple, non-dynamic link like shown in the question.
Turn the referer into an IP
To turn the HTTP_REFERER into an IP:
$urlParts = parse_url($_SERVER['HTTP_REFERER']);
$ip = gethostbyname($urlParts['host']);
Keep in mind, this is not reliable nor secure in any way.
Related
Im making a social network and im trying to implement this feature where if the user is logged in from a different machine it will ask him to type in the password or identify his friends like in facebook.
I can do this using IP checks but that would be stupid if if the user had dynamic ip adress, then another option is cookies but that would also be stupid for many reasons - one being that its client side.
So then, i think mac address will be the thing to use, but i have no idea how to grab the mac address using php or javascript.
I think if this is possible, then it will be via js because it is client side
So any suggestions?
Why is it 'stupid' to use client-side information for authentication, that's where you'll be getting the username and password from and you're likely trusting that already
There is no way to grab the user's MAC address unless you're on the same network and the network allows such a lookup using ARP
You'll likely have to use cookies for this, and just make sure not to clear them if a particular browser is 'trusted'. If you think users are likely to share cookies with each other along with their username and password you could encode some other browser specific fields (exact UA header?) into the cookie to add more data you can use to decide if the client is trusted
That's more a comment than an answer:
Im making a social network and im trying to implement this feature where if the user is logged in from a different machine it will ask him to type in the password or identify his friends like in facebook.
I'm not the author of that feature from facebook, so I don't have the specification of that feature at hand. If you would be so kind and add the specification of the feature you ask a question about to your question, it's probably possible to answer your question profoundly.
I have come up with a solution
I can use this api http://ipinfodb.com/ip_location_api.php And grab the location of my users and if it changes ask them to verify device.
This is not duplicate, as it may seam from the title. Continue reading.
So what I want is to create JS script, which would automatically send an invitation to a certain user to become a friend.
How do I approach this?
Basically, user will need to copy my JS code to browser URL bar, which will append JS directly to the Facebook session. (meaning that now I can send POST request on behalf of the user)
Of course, users are aware about the final result. (it is sort of blind-dating what I am thinking to make)
Is this theoretically possible?
Edit: I think the best way to implement something like this is to use Facebook Connect to authenticate users on your site and connect the users that way. Once the users have connected on your site, invite them to connect on Facebook too (by using the method below or just linking to their profile). This way, you're controlling the "meet", like you want, but you're also allowing them to connect on Facebook in a legitimate way.
Give this dialog a shot, and just direct the user to:
http://www.facebook.com/dialog/friends/?id=<USER_ID_TO_BE_ADDED>&app_id&<APP_ID>&redirect_uri=<ADDRESS_IN_YOUR_DOMAIN>
Alternatively, you could simply open a popup with that URL using window.open.
From what you suggested in your question though, it doesn't sound like you wish to use the feature like Facebook intended. From the usage notes:
This feature is intended to help users become friends on Facebook with people that they are connected to in real life. You should not use this feature to encourage users to friend other users that they are not connected to in real life. If your app is found to be encouraging this behavior, your usage of this feature may be disabled.
I have a web API that I want to allow any domain to submit data to. However, to keep bogus spam down I want to find some way to insure that a request stating it's from a certain domain actually is from that domain and that someone isn't trying to trick me by posting on another domains behalf.
For example, if http://example.com submits some data - thats good. If script kiddie #237 submits data claiming to be example.com - that's bad.
At first I was going to use a secret key system to HMAC sign each request - but signup is going to be open, free, and automated for this API. I'm not sure how I could tell if PersonA or PersonB really owns http://example.com and deserves the API key.
Provide a key file that they will have to upload on that domain. And you check the existence and valid data against your internal database.
I would like to put a link back to my site on other "approved" domains. When they click on the link it goes to a page that checks the referrer ($_SERVER['HTTP_REFERRER']) to make sure they came from a domain that is approved to have my link. This can be spoofed so how can I make sure the clicks are actually coming from the approved domains?
You can't do it. You can't prevent the referrer from being tempered with.
An alternative would be possible if there's collaboration between the several sites. For instance, the links in the other sites to yours could pass a token as a parameter in the URL that would be usable only once and which you could then validate.
Several validation strategies would be possible. Your site could contact the other site and ask it if the passed token is valid or you could employ a signature with the token acting as a nonce so you didn't have to contact the other site.
Here's the deal:
-Flair pretty much demands a Facebook app
-I'm working on learning the Facebook platform
Therefore, I've written a dinky little Facebook app to embed your Flair into a box on the side of your profile. If you're interested and on Facebook; beware that this is very much a work in progress, prone to change and has a whole bunch of rough edges.
However, I don't have an elegant way to say "this is MY Stackoverflow profile" from this dinky app. My current solution is best demonstrated this image. It is, frankly, idiotic; and there's nothing preventing impersonation.
Having no experience with OpenID, I'm wondering if there's some way (and some example of this way, please) to get a user to provide their Stackoverflow identify to a third party?
Behavior changed to that suggested by Noldorin's answer.
Request for a saner way to do this declined on UserVoice.
There's no way to get a StackOverflow ID from OpenID and to do the opposite would be possible but unnecessarily complicated (compared to your suggested method). Copying and pasting the user ID/profile URL isn't terribly inconvenient, in my mind.
However, I can suggest some sort of solution to the issue of impersonation. This may seem like a slightly silly method, but it's the simplest way of which I can think to insure that only the user themself can display the badge. Again, I don't think it's too inconvenient. (The more traditional method of using an email confirmation isn't possible, given that emails aren't public.)
Have your Facebook app generate a random (alphanumeric?) code. Something in the form A8IO45QW6T should do.
Hold this code on the server side of your Facebook app for a short time period (say, 5 minutes).
Instruct the user to edit their About Me information by adding the given code to the last line, then to return to the Facebook and confirm. Simple inspection of HTML for the profile page of the specified user would verify ownership. The user can then remove the verification code from their About Me text.
Nice idea creating this Facebook app, by the way. I may just give it a try!
Another solution that would allow for instant verification is hashing the email address and checking to see if it matches the user's Gravatar. Granted, not every user has provided an email address, but you can always perform this check first and if it fails you can fall back to the About Me section editing (or simply require that the user have an email address). This idea is not mine, so I'll let null explain:
Do you still have the source available? As I've gotten a solution to prevent other users from messing up your results. You just need to hash the email address used by the viewer and check for the gravatar image link on the page as outlined on the gravatar site. If the user id and image hash match, then record the change to the database, otherwise... just show results. I can make that change, but the source seems lost... :(