You can pass the token using HTTP headers, or via a POST request which will make it invisible in the URL. Using this method the token ID is not present in the URL.
Since you are redirecting from one domain to another using a GET request, this leaves the HTTP headers method as your only method to go about implementing this. Please be note that this only works in a server-to-server communication since it requires to manipulate header values, which is not feasible in a client-server communication (browser cannot be instructed to add custom headers to a redirect). This means you need to have control and be able to modify both servers.
We'll use a cURL request to demonstrate how to pass the token through headers:
// Domain 1
$secretKey = 'xxxxxxxx';
$secondDomainURL = 'https://qikgraphics.com/softresources/graphics-toolkit/ebizgraphics/watch-tutorial.php';
// Generate a token with the secret key
$token = hash_hmac('sha256', $secondDomainURL, $secretKey);
// Use cURL to send a GET request with custom headers
$ch = curl_init($secondDomainURL);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['X-TOKEN: ' . $token]);
$response = curl_exec($ch);
curl_close($ch);
echo $response;
// Domain 2
$secretKey = 'xxxxxxxx';
//$token = $_SERVER['HTTP_X_TOKEN'];
$token = isset($_SERVER['HTTP_X_TOKEN']) ? $_SERVER['HTTP_X_TOKEN'] : '';
$secondDomainURL = 'https://qikgraphics.com/softresources/graphics-toolkit/ebizgraphics/watch-tutorial.php'; // Define this URL
// Verify the token
$expectedToken = hash_hmac('sha256', $secondDomainURL, $secretKey);
if ($token !== $expectedToken) {
// Access denied, show an error message or redirect to another page
echo 'Access denied.';
exit;
}
// Continue loading the page
In this example, we include the token inside an HTTP header X-TOKEN
instead of as a URL parameter.
Please note, however, that this method of domain redirection, using server-side network requests like cURL, will not actually redirect the user's browser to the new page. Their address bar would still show the domain making the cURL request, not the domain the cURL request is made to.
There are workarounds such as sending a HTML document that submits a hidden POST form upon page load using JavaScript, but these are likely much more work than you were hoping to do for this, and they're arguably less secure because they require client-side JavaScript execution. The truth is, HTTP is inherently designed to expose such information in GET requests, and the alternatives are significantly more complex. If your data is sensitive and security is a high priority, you should consider using a secure server-side session, or authentication framework. Security is a complex field, and it's usually best to use established, community-vetted solutions whenever possible.
Having issues? Ensure your server environment accepts custom headers. Some hosting providers, shared hosts in particular, may disallow or ignore custom headers.
Check that your Domain 2 script is receiving the correct request with the header. You can temporarily add var_dump($_SERVER)
; to dump the entire $_SERVER array to the output to inspect it.