Marcus. If the user shares the original link though, they will always hit the first page and be given the localsite as the referrer before moving on.
What is to prevent the user form passing around the original link that includes the hash? Unless it is a one time hash, which Wofka already said he did not want to do. On Nov 12, 12:17 pm, Marcus Silva <[EMAIL PROTECTED]> wrote: > You did not understand it, did you? > > The referer will always be your own domain if the hash in the email > validated, since you will be redirecting the user to that page. > > Consider this: > > A user register for a website and get a confirmation link. The link > in the email points to: > > http://www.yourdomain.com/confimation/email_hash > > After the email hash has been validated you send the user to another > page on your site. > > In that other page you check if the referer is (yourself) your own > domain (http://www.yourdomain.com/confimation/email_hash). > > Just make sure you do not link to that page from anywhere in your > site. > > If you know a better solution then use it and share with others as > well. > > Maybe you will get it now. > > On Nov 12, 4:40 pm, Smelly_Eddie <[EMAIL PROTECTED]> wrote: > > > That still does not prevent a user from sharing the original url in > > the email. Anyone that visits the first page could see the second. > > > It seems like this is a moot point if you use authentication or email > > tickets, which would be a much more sound approach. > > > Any solution you may come up with will not be secure since there is no > > unique way to identify the source as an email. Some web based email > > will show the referrer as the provider (gmail, yahoo) but client based > > applications (thunderbird or outlook) will have a blank referrer. > > > -EW > > > On Nov 11, 4:16 pm, Marcus Silva <[EMAIL PROTECTED]> wrote: > > > > Hi, > > > > I am not sure if I got your question right, but if I did you might be > > > ok doing the following: > > > > Create an email hash key like Jon Bennett suggested, when the user > > > comes back to your site take > > > > make the user go to a url on your site where you can check the hashed > > > value, then send the user to another page, in that page check if the > > > referer ($this->refefer()) was the page the user visited originally > > > via the email link, only send the user to this page is the hash key > > > validates. > > > > That should work.... > > > > Hope it helps > > > > Cheers > > > > Marcus > > > > Another way > > > > On Nov 11, 8:38 pm, "Jon Bennett" <[EMAIL PROTECTED]> wrote: > > > > > > Yes i thought about this approach. But problem is that i need to make > > > > > access only through email, without restrictions in visit count. > > > > > In that case don't check for a key's count, jsut allow it. Still use a > > > > key though, ideally random per email sent out, something like: > > > > > $key = substr(md5($user['User']['name'].$user['User']['email']), 0, 20); > > > > > Only a really keen individual will bother trying to guess your hash > > > > key, so only valid urls will work. > > > > > I don't see how you can stop people from passing the urls around > > > > though if they can be used more than once. You can spoof the referrer, > > > > so I really don't know how you could police it effectively. > > > > > hth > > > > > jon > > > > > -- > > > > > jon bennett > > > > w:http://www.jben.net/ > > > > iChat (AIM): jbendotnet Skype: jon-bennett --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
