>I need to implement some low level security that locks a certain page
>if the user does come from a particular link (which is hosted on
another domain). I've considered using HTTP_REFERER variable but
seems this is a little shaky as it is not alway set.
HTTP_REFERER is trivially fakable. Plus, some users can't send it
if their lives depended on it, because ISP proxies may delete it.
Why do you need joke-level security?
Step back from the problem a little. Specifically WHAT problem are
you attempting to solve? Deep linking by Google? Too much traffic
to your site? Links from fark.com? Spammers abusing your feedback
page?
If you have gotten to the point of seriously considering handing
out ID cards to alligators to limit them to ONE bite of your ass
each, it's time to take a step back and realize that the original
problem was to drain the swamp.
>Well, you could use a CAPTCHA. Or you could ask for a password and
not check it. Both probably provide better joke-level security.
>Does anyone have a solution that would allow me to restrict.
If you trust the user's browser, you've thrown your security out
the window. And in this situation, only the browser knows where
it last was.
>I figure
I can't use a session as it is linked from another domain - same with
cookies.
Does this mean you really can't control it because the only thing that
tracks where the browser has come from is the browser, and this can't
be trusted.
Essentially, yes. If the two web servers in different domains are
under common administrative control (meaning, among other things,
that the same programmer could arrange changes on both of them),
so they could share a database, the referring web server could leave
a note that the referred web server could look at to see if the
same browser hit the referring page recently.
>I've thought about setting a cookie on the other domain that my domain
will check (that way I'll know if they've atleast come from there).
Cookies are designed not to work that way. Users need some privacy
left. And you (your web site) couldn't put anything (e.g. "remember
my login" cookies) into a cookie safely if every other web site the
user visits (including the evil ones) can see it (and try to hack
it).
>Can a cookie be set to be accessible from "any" domain?
No. And if it could, chances are everyone would ban them, and you'd
have about a gigabyte of them from doubleclick.net alone.