Need to restrict access to a page between domains? If your pages are on the same domain, you can use sessions. But what about two different domains?
After much experimenting, I present a simple way to restrict page access between domains without a database.
EXAMPLE 1:
Code for referring domain:
<?php
$secretKey = '0101010';
$secondDomainURL = 'https://qikgraphics.com/1/banner/creator.php';
// Generate a token with the secret key
$token = hash_hmac('sha256', $secondDomainURL, $secretKey);
// Redirect the user to the second domain with the token as a query parameter
header("Location: $secondDomainURL?token=$token");
exit;
?>
Code for second domain with protected content (place at top before all other content):
<?php
$secretKey = '0101010';
//$token = $_GET['token'];
$token = $_GET['token'] ?? null; // If 'token' is not set in $_GET, assigns null to $token $secondDomainURL = 'https://qikgraphics.com/1/banner/creator.php'; // Define this URL
// Verify the token
$expectedToken = hash_hmac('sha256', $secondDomainURL, $secretKey);
if ($token !== $expectedToken) {
// Access denied, show an error message or redirect to another page
echo 'Access denied.';
exit;
}
?>
EXAMPLE 2:
If you do not wish to show the token in URL, try this version but take note that you MUST totally have control of boyh servers.
Yes, you can pass the token using HTTP headers, or via a POST request which will make it invisible in the URL.
Since you are redirecting from one domain to another using a GET request, this leaves the HTTP headers method as your only method to go about implementing this. Please be note that this only works in a server-to-server communication since it requires to manipulate header values, which is not feasible in a client-server communication (browser cannot be instructed to add custom headers to a redirect). This means you need to have control and be able to modify both servers.
We'll use a cURL request to demonstrate how to pass the token through headers:
// Domain 1
$secretKey = '0101010';
$secondDomainURL = 'https://qikgraphics.com/softresources/graphics-toolkit/ebizgraphics/watch-tutorial.php';
// Generate a token with the secret key
$token = hash_hmac('sha256', $secondDomainURL, $secretKey);
// Use cURL to send a GET request with custom headers
$ch = curl_init($secondDomainURL);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['X-TOKEN: ' . $token]);
$response = curl_exec($ch);
curl_close($ch);
echo $response;
// Domain 2
$secretKey = '0101010';
$token = $_SERVER['HTTP_X_TOKEN'];
$secondDomainURL = 'https://qikgraphics.com/softresources/graphics-toolkit/ebizgraphics/watch-tutorial.php'; // Define this URL
// Verify the token
$expectedToken = hash_hmac('sha256', $secondDomainURL, $secretKey);
if ($token !== $expectedToken) {
// Access denied, show an error message or redirect to another page
echo 'Access denied.';
exit;
}
// Continue loading the page
In this example, we include the token inside an HTTP header X-TOKEN instead of as a URL parameter.
Please note, however, that this method of domain redirection, using server-side network requests like cURL, will not actually redirect the user's browser to the new page. Their address bar would still show the domain making the cURL request, not the domain the cURL request is made to.
There are workarounds such as sending a HTML document that submits a hidden POST form upon page load using JavaScript, but these are likely much more work than you were hoping to do for this, and they're arguably less secure because they require client-side JavaScript execution. The truth is, HTTP is inherently designed to expose such information in GET requests, and the alternatives are significantly more complex. If your data is sensitive and security is a high priority, you should consider using a secure server-side session, or authentication framework. Security is a complex field, and it's usually best to use established, community-vetted solutions whenever possible.
