How to reliably identify a website_问答_开发者

开发者 https://www.devze.com 2023-01-29 08:52 出处：网络

I have a file that is being linked to from other sub websites. The file: http://site.com/file.img Website A linking to it <img src=\"http://site.com/file.img\"></img>

I have a file that is being linked to from other sub websites.

The file: http://site.com/file.img

Website A linking to it <img src="http://site.com/file.img"></img>

website B linking to it <img src="http://site.com/file.img"></img>

I need to reliably identify which of these websites has accessed the file, but I know that $_SERVER['HTTP_REFERER'] can be spoofed. What开发者_JAVA百科 other ways do I have to reliably confirm the requester site? By IP, get them to register an IP? not sure. setup an API key? What options are there?

If a website is only linking to a file, the "website" itself will never actually access your image. Instead, the client who's viewing the site will make a request for the image.

As such, you're depending on information sent by the client, which is completely out of your control and not reliable at all. If you have the opportunity to set some sort of unique cookie on the client, you may be able to use this in some fashion for extended identification, but even that won't be reliable.

There is no 100% reliable solution.

Getting the referrer is the best you can do without getting into complicated territory.

If you don't mind complicated, then read on: set up your Web server to serve file.img only to Website A and Website B, then require that Website A and Website B set up a proxy configuration on their end that will retrieve file.img on behalf of their visitors.

Example:

A visitor to Website A loads a page that contains an image tag like <img src="http://websiteA.com/file.img"/> (note reference to Website A rather than your site). Client requests file.img from WebsiteA.com accordingly. Website A is configured to proxy requests for the path /file.img to your server, http://site.com/file.img. Your site verifies that it is in fact Website A that is requesting the image and then serves it to Website A's proxy. Website A then serves it to the visitor.

Basically, that makes it a pain for Websites A and B, gives you a performance hit, and also requires further configuration on your part. But I imagine that would satisfy your requirement.

Have a look at how OpenID relying is implemented, it allows one site to authenticate against another. The protocol specification will give a hint at the effort and overhead required to reliably implement such a scheme.

http://googlecode.blogspot.com/2010/11/googles-sample-openid-relying-party.html