0

Brief explanation:

A User gets an iframe embed-link (ex: < iframe src="https://www.platform.com/HASH">)

  1. Using HASH from URL, determine the User, check if the request is coming from one of User's domain and increase view.

  2. View count logic: If a shopper(users customer, not mine) calls a users page, then increase view count and the same User's shopper can call the page as many times as he want for the next 30 min, without the view being increased.

Any tip how 1. and 2. can be implemented. Thanks for all your support.

J. Taiga
  • 41
  • 7
  • @Dave I am not asking you to write code for me, I am just asking politely, what possibilities there are to implement the above mentioned scenario, nothing more. – J. Taiga Feb 13 '19 at 14:23
  • Afraid that isn't how SO works. You need to show us your effort and we will try to help you. Please take a look at the links in my comment for further information. – Dave Feb 13 '19 at 14:24
  • I'm afraid that what you're asking is not possible. _User Agents_ and the _Http Referer_ header can always be spoofed by the client. From the server perspective, you cannot verify the validity of these values and must accept them at face value. Therefore, if you need to be absolutely sure, you'll need to use something like _OAuth 2.0_... – War10ck Feb 13 '19 at 14:44
  • Sounds like the problem here is that you are rewarding views (which are pretty worthless, and [easily faked even without bots](https://whatis.techtarget.com/definition/click-farm)) and not conversions. – Quentin Feb 13 '19 at 14:45
  • @Quentin not rewarding, charging customer per view. – J. Taiga Feb 13 '19 at 15:02

1 Answers1

-1

I would suggest offering an API to your customers and using Passport (OAUTH2) for authentication because HTTP_REFERER can be modified and there's nothing to stop me from taking the token from one of your customers.

arxzur
  • 608
  • 1
  • 6
  • 15
  • Thanks for your input, I already thought of using OAUTH2 but the problem is, we wanna keep it as simple as possible for our modelBuyers, so that they can embed it anywhere(WP/Static HTML/PHP/JS) without worrying about API and all that stuff. Isn`t there any other way, other than`HTTP_REFERER` to 100% determine request incoming URL without getting spoofed. Thx :) `HTTP_REFERER` – J. Taiga Feb 13 '19 at 14:30
  • I don't think so. You would need to decide whether prioritizing simplicity over security is worth it. For example, Google Maps seems to prioritize simplicity with their API keys as discussed [here](https://stackoverflow.com/questions/2256305/how-does-google-maps-secure-their-api-key-how-to-make-something-similar) which are most likely implemented similarly to what you wanna do. For them it makes sense to just accept the risk because the data is not that sensitive. I would argue that making a GET request is not to much to ask from customers, though. Just provide a good documentation. – arxzur Feb 13 '19 at 14:47
  • I just wanna implement the same logic as gmaps. For example, even gmaps embeded code with valid token doesnt work unless the request comes from the right domain. – J. Taiga Feb 13 '19 at 15:04
  • Like it says in the thread I linked to, it's still vulnerable to spoofing but if you think it makes sense in your case, then do it. If you want actual security, implement OAUTH2. – arxzur Feb 13 '19 at 15:15