Hi,

I have an affiliate program. The method of crediting affiliates I'm entertaining is by image source. Another words, a page loads with a tag that accesses a cgi url that credits, located in the body. Is there anyway to prevent affiliates from 1) being able to load the page to gain false credits and 2) being able to steal the image tag from the source?

Thanks

I think I know what you are looking for....

Will the page be dynamically generated or is it a static html?

I'll presume the page has to be dynamic...

Create a hidden iFrame window which calls a cgi-script.
the cgi-script will have appended to it a hash=value.. .i.e

counter.cgi?hash=00102030808040506078889

As an example .... use a timestamp value as the first part of the hash and the second part of the hash as the user_id....

Timestamp = 0123456789 = T
user_id = 0000000088 = U

hash = TUTUTUTUTUTUTUTU
Depending on how serious you are about the hash, you could add another value into the hash to confuse people.

When the counter.cgi script is called it checks first for the user_id. If true it reconstructs the timestamp from the hash and checks againist the server's current timestamp. If there is a minute in the difference, do nothing.

1) being able to load the page to gain false credits: They need to know the hash algorithim... you could also check the %ENV variables host address recieved from the user againist the constant variable you have defined as the server address...
$domain_path = $ENV{'HTTP_REFERER'}; This means that your script can only run from your server and as you have the only access to the server and its pages, you can gaurentee its authenticity.

2) being able to steal the image tag from the source? If they do, so what. Its defunct within a minute.

Hope this is what you were looking for.

Cormac.

The page is static. See, once customers order, they are forwarded from my merchant account provider to a page on my domain.

If you can't do the same type of thing you mentioned earlier with static pages, then would it be bullet-proof to link directly to the calculate.cgi script checking the referrer domain to see that it's my payment processor? (because if you link to the script it will go to a page you specify)

Thanks

There was a mention recently "a few messages back" on a checking for referrer domains. It suggested that it wasn't foolproof as not all browsers submit referrer details. You may want to check the message...

However, you could check the Referer againist your own address and againist a blank string? Neither way is perfect.