Custom Thank-You page (self hosted) - How to validate referrer?

link

ejunkie

option

click

site

page

access

generated

header

accessed

martin_p 2011-05-11 06:55:14 UTC #1

Hi

For one of my products I'm using the redirection option to push buyers to a page on my site (rather than the download option).

I only want that page accessible if it's being accessed via the link generated by EJ (i.e. customers can only access it if they click on the "Click here to access ..." link on the ejunkie page, they should NOT be able to access the url on my site directly).

As not all browsers pass the referrer details I'm reluctant to use that to check whether they've arrived through the ej link but as it stands, I'm struggling to see any other option - which is why I'm asking here...!

**EDIT: I've just checked and it looks like NO header info is passed at all (using Firefox or IE) - is this because e-junkie uses a 302 redirect?

Anyone have any suggestions/ideas on only allowing access to a (self-hosted) page when it's being accessed from the ej link?

Thanks in advance

Martin

E-junkie_Monster 2011-05-11 10:28:17 UTC #2

Hi Martin,

Our help page here describes what kind of order information we pass on when you use the Redirection feature on a product:

http://www.e-junkie.com/ej/help.redirection.htm#product

You can create a script on your page that watches for this kind of order information to tell whether or not someone is visiting the page directly or if they have passed through a link we generated after an order. Bear in mind that our redirection links do expire the same way as download links do, so a buyer would not necessarily have unlimited access to that page even after they have paid.

martin_p 2011-05-11 10:36:42 UTC #3

Hi

Thanks for that - I am actually using some of those GET vars already - my issue however is preventing someone just copy/pasting the URL once they're there and then sharing that link, so I wanted to find out how to stop direct access to the page (i.e. only allow someone to view it if they've come there via the link EJ creates).

The difficulty I'm facing is that there's no referrer being passed (probably because you're using a 302 redirect), and no handshake type variable is available to confirm where they're coming from.

Any suggestions?

Thanks

Martin

E-junkie_Guru 2011-05-11 17:51:43 UTC #4

I've asked Development to look into this. It was my understanding that custom scripting in your page could read HTTP_REFERER to recognize when a user is being redirected from e-junkie.com vs. arriving there directly, but if that HTTP header is not transmitted in the way we implement redirections, I'm not sure how else it could be done.

martin_p 2011-05-11 18:29:52 UTC #5

Hi

Would it not be possible to include a hash along with the other GET variables - say something similar to the POST handshake hash that gets passed when you transmit the IPN to an external link? Maybe a hash of the username/password and date/time?

Obviously have no idea how easy or not it would be to append that data to the GET vars, but as you're already passing a hash I don't imagine it would be that difficult.

Speaking of which, what does the hash that's in the GET vars actually signify?

Thanks

Martin

E-junkie_Guru 2011-05-12 15:01:33 UTC #6

Here's something you could do:

Upon the buyer's first visit to your redirection landing page, save the GET value for 'txn_id' at your end and set a cookie in the buyer's browser with a value set to that ID (or maybe a hash of it, possibly incorporating other values from HTTP headers identifying the buyer's browser, OS, etc., thus making the cookie harder to forge on another computer).

If the 'txn_id' value in the URL for any visit matches an ID already stored at your end, look for the cookie indicating the original buyer is merely re-accessing their page; otherwise, if the cookie is absent, refuse to grant access.

If this blocks a legitimate buyer because they have cleared the cookie or are using a different computer or browser, you can simply delete the 'txn_id' from your end to allow the buyer to visit the URL and set a new cookie.

martin_p 2011-05-13 04:50:56 UTC #7

Hi

Thanks for the suggestion - I'll look at putting that in place today and see how it goes.

Going forward it would be great if there was some way of identifying whether the visitor is coming from EJ though - I'm sure I'm not alone in trying to get that kind of functionality

Thanks

Martin

ellen 2011-05-13 22:29:36 UTC #8

I've just answered Martin's helpdesk ticket on this, but for everyone's benefit...

We actually do append a hash to the redirection URL to act as a simple MAC. Just somehow Robin forgot to document it O_o;

It's added after all the other variables, like this:

$url .= '&hash=' . md5($client_id . md5($password) . $url);

I've updated the documentation to reflect this:

http://www.e-junkie.com/ej/help.redirection.htm

E-junkie_Guru 2011-05-31 20:40:20 UTC #10

One thing to be aware of; if a buyer shares the URL of their redirection landing page with others, that URL would include the hash value, so in this case it's useless for preventing direct visits.

However, your landing URL could re-redirect to yet another URL that strips away the hash, making its involvement less apparent, and in that case simply copying the final landing page's URL to paste elsewhere could be made to fail if they don't go through the hash-bearing URL first and don't have a cookie proving they ever did go through that URL.

SOLUTIONS FEATURES PRICING DISCOVER PRODUCTS CONTACT HELP DOCS DASHBOARD

Forum

E-junkie Community Forum

Share and learn in the E-junkie community.