I am working on a project where a subscription based website run by our company is being linked to by a larger subscription based website. The arrangement is that a subscriber to the larger site is able to use our site once they have logged in to the larger site. There is no single sign on or common authentication available so the larger website needs to provide some information that enables us to validate the user. This must be done in a secure way such that people can't have free access to our site because someone with a login has sent them a URL. (The information isn't particularly sensitive but we are trying to make money!)

I have been prototyping a method based on a using an MD5 hash to validate the data being passed, a timestamp and a shared secret that is not passed in the request. Our website is able to receive the request, validate the data and use the timestamp to work out whether the link has timed out. If everything is OK, the user starts a session and is redirected to the content. An invalid link sends the user back to the referring page of the larger website.

This solution appears to be OK to me but as with anything involving security, there are probably holes. I am looking to my fellow monks for guidance and comments! What are the pitfalls, how could improve the setup?

In reply to OT: Validating a request between web sites by inman

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.