I am working on a project where a subscription based website run by our company is being linked to by a larger subscription based website. The arrangement is that a subscriber to the larger site is able to use our site once they have logged in to the larger site. There is no single sign on or common authentication available so the larger website needs to provide some information that enables us to validate the user. This must be done in a secure way such that people can't have free access to our site because someone with a login has sent them a URL. (The information isn't particularly sensitive but we are trying to make money!)

I have been prototyping a method based on a using an MD5 hash to validate the data being passed, a timestamp and a shared secret that is not passed in the request. Our website is able to receive the request, validate the data and use the timestamp to work out whether the link has timed out. If everything is OK, the user starts a session and is redirected to the content. An invalid link sends the user back to the referring page of the larger website.

This solution appears to be OK to me but as with anything involving security, there are probably holes. I am looking to my fellow monks for guidance and comments! What are the pitfalls, how could improve the setup?