Thread: 'Thank you page' protect with session

Hi Guys,

I got this code that works by protecting your 'Thank you page' on say ClickBank. It can redirect the person to a specified page if the person didn't come from CB and as such hasn't purchased the product/service. Nice! However, someone can still copy/bookmark the whole URL after purchasing the product from CB and later visit the same URL to fill the order page/download the doc again.

What i would like to find out is if this code could be manipulated in a way that the 'thank you' page could have a time that could expire upon the first visit. The session just times-out within like 30mins? Upon the first visit after purchasing and being forwarded to the 'Thank you' page, that URL/page expires like after 30mins or 1hr?

Here is the code:

Code:

<?php // yourdeliverypage.php
function cbValid()
{ $key='Your Secret Key';
  $rcpt=$_REQUEST['cbreceipt'];
  $time=$_REQUEST['time'];
  $item=$_REQUEST['item'];
  $cbpop=$_REQUEST['cbpop'];

  $xxpop=sha1("$key|$rcpt|$time|$item");
  $xxpop=strtoupper(substr($xxpop,0,8));

  if ($cbpop==$xxpop) return 1;
  else return 0;
}
if (!cbValid($rcpt, $time, $item, $cbpop)) {
// redirect
header ("Location: http://www.anyurlyouwant.com/");
exit;
}
?>

Thanks for your help.

That's an awesome idea. I wish my php skills were up to that level to help you out!

I use a service to do the same thing you are proposing. That way the "Thank you" page is encrypted on their website, not mine. Very inexpensive per month and it does not charge by the number of items I am selling.

Rod

Originally Posted by rodrico101

That's an awesome idea. I wish my php skills were up to that level to help you out!

I use a service to do the same thing you are proposing. That way the "Thank you" page is encrypted on their website, not mine. Very inexpensive per month and it does not charge by the number of items I am selling.

Rod

Rod, what service is that?

I use e-junkie.com
It's like a whole $5 a month.

You can use it with Clickbank products and also selling any other ebook type products. Their service will create the paypal button coed for you and your product.

Rod

Do you know what format the time is in and does it incude the date?

If so you could check the current time and expiry period in seconds.

PHP Code:

<?php
if (strotime($time) +60*30>time())
{
//redirect
}
else
{
//show page
}

?>

Regards

Bob

Hello Bob, The code looks promising. Thnx. I know the +60*30 represents time. Is it seconds or minutes?

And pls, i would want the page to expire say after 30mins after the page is first displayed for the user. For eg. with reference to clickbank purchases, after the payment has been made(and authenticated), the customer is taken to the 'Thank you page' to fill a JOB CARD in my case.(The JOB CARD url will have all the encryption of the 'cbpop, time purchased, etc.) It is this encypted URL of the 'Thank you page' that i would want expire in certain minutes so that even when someone bookmarks/copies it and revisits it to try to re-order, it would have expired by then .

So Bob, can the code you provided execute this function?

Cheers in advance.

Sorry I didn't get back to you sooner but I've been busy.

The time is in seconds so 60*30 represents thirty minutes.

Another way would be to store $_SERVER['QUERY_STRING'] and the time of visit in a database and check the database to see if the user has already visited the page.

Regards

Bob

Thanks for your post...and thanks for the code that you gave to us in that post...That is awesome...William Wilson

First of all, you haven't really specified what your URLs look like here...

PHP's $_REQUEST[] superglobal applies to both GETs and POSTs so it's hard to tell exactly what we're dealing with (although since the URL is bookmark-able, it's probably GET).

Assuming this,

As Donk suggested, using a database to store the unique query string identifier would definitely be the easiest solution here.

If you don't have an extra DB table to spare, you'll probably have to resort to a little bit of raw ingenuity. Although cookies and sessions would work in theory, neither are secure or practical enough for this scenario.

My best suggestion would be formatting the 'Thank You' page url as such:

Code:

                                            unique     unix time
                                            key        (10 digits)
http://yoursite.com/thank-you.php?cbreceipt=1234abcd_1244577730

This way, the URL your customers are visiting actually contains the time it was created, but they won't even realize it (this way it can't be manipulated like a cookie could be).

When you perform your time check, you could just do something like this:

PHP Code:

<?php
$receipt = $_GET['cbreceipt'];
$parts = explode('_', $receipt);
$rcpt = $parts[0] // <-- $rcpt is from original script
$created = $parts[1] // <-- time the link receipt was created
?>

Then you could just take the '$created' value and compare it to the current 'time()' value, just as Donk suggested.

Bob and Jonny, u both are brilliant! Thanks a bunch! I have a problem with the code:

Code:

<?php
if (strotime($time) +60*30>time())
{
//redirect
}
else
{
//show page
}

?>

. When i implemented it, and made a test purchase at clickbank, instead of being re-directed to the 'Thank you page it normally does without the above code, it rather parsed an error code to me:

Code:

Fatal error: Call to undefined function strotime() in /home/africannia/public_html/mywebsite.com/order1.php on line 23

However, after changing the (strotime($time) to (strtotime($time), it redirected me to the 'Thank you page' alright but the URL did not expire after the 30mins. When i refreshed it, it stiil worked. when i bookmarked the URL and re-visited it after 30mins, it still worked.

What could be the problem?


BTW, am gonna try the database thing also and report back. Again!