Domain to domain SQLite restrict page access

Domain 1 controls the database while Domain 2 just acts according to the token verification result. In this scenario, Domain 2 will not directly access the database, but it will make a request to Domain 1 (verifyToken.php) to check whether a given token is valid or not. Domain 1 will return a response accordingly after checking the database, and Domain 2 will then grant or deny access based on this response.

We will use API endpoints to help facilitate this communication between the two domains.

Here's an example:

In Domain 1, Generate the token and the token verification API endpoint:

// Token generating script in Domain 1
$secretKey = '0101010';
$secondDomainURL = 'https://domain2.com/page.php';

// Generate a token with the secret key
$token = hash_hmac('sha256', $secondDomainURL, $secretKey);

// Store the token in your database
$db = new SQLite3('tokens.db');
$db->exec("CREATE TABLE IF NOT EXISTS tokens (token STRING PRIMARY KEY, used INTEGER NOT NULL DEFAULT 0)");
$stmt = $db->prepare('INSERT INTO tokens (token) VALUES (:token)');
$stmt->bindValue(':token', $token);
$stmt->execute();

// Redirect the user to the second domain with the token as a query parameter
header("Location: $secondDomainURL?token=$token");
exit;

// Token verification API end point in Domain 1
$token = $_GET['token'];
$row = null;
if($token){
    $stmt = $db->prepare('SELECT used FROM tokens WHERE token = :token');
    $stmt->bindValue(':token', $token);
    $result = $stmt->execute();
    $row = $result->fetchArray();
}

if ($row && !$row['used']) {
    // Mark the token as used
    $stmt = $db->prepare('UPDATE tokens SET used = 1 WHERE token = :token');
    $stmt->bindValue(':token', $token);
    $stmt->execute();
    echo 'Access granted';
} else {
    echo 'Access denied';
}

In Domain 2, make a request to the API endpoint in Domain 1 to check token and grant/deny access:

$secretKey = '0101010';
//$token = $_GET['token'];
$token = $_GET['token'] ?? null; // If 'token' is not set in $_GET, assigns null to $token
$secondDomainURL = 'https://domain2.com/'.$_SERVER['REQUEST_URI'];
$apiURL = 'https://domain1.com/verifyToken.php'; // Replace with actual URL to your verification script on Domain 1

// Verify the token
$expectedToken = hash_hmac('sha256', $secondDomainURL, $secretKey);

if ($token !== $expectedToken) {
    // Access denied
    echo 'Access denied.';
    exit;
}

// Call API to check and update token status
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $apiURL . '?token=' . $expectedToken);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$response = curl_exec($ch);
curl_close($ch);

if(trim($response) !== 'Access granted'){
    // If API response is other than 'Access granted', deny access
    echo 'Access denied.';
    exit;
}
// Continue with your page access...

You'll need to replace 'https://domain1.com/verifyToken.php' with actual URL to your verification script on Domain 1.

Please remember that these are simplified examples for understanding, and it's highly recommended to add more security measures like SSL for your domains, error handling, and data sanitization etc.