Restrict access to web site based on Referrer, cookies or something else

We have a scenario whereby we are hosting an ASP.NET MVC web site on behalf of someone else.

The customer in this case wants us to restrict access to the web site, to those users who have logged in to their main portal. They should then only be able to get to our web site via a link fr开发者_StackOverflow社区om that portal.

At this point I'm not yet sure what technology or authentication mechanism the 3rd party are using but just wanted to clarify what the possible options might be.

If we call our hosted site B, and their portal web site A,as I see it we could:

• Check the referrer for all requests to B, unless they've come from A they can't get in
• Check for a specific cookie (assuming A uses cookies)

I'm sure there are other options, anyone any ideas?

Check the referrer for all requests to B, unless they've come from A they can't get in

Can be faked, but most normal users won't do it.

Check for a specific cookie (assuming A uses cookies)

Ask them to embed in their portal some code portion from your site. This way visiting their portal will resulting in you setting a cookie for your domain. Then you can easily read it later.

One more thing to mention. If you're talking about public sites, then it will suffice for a search engine to somehow discover these hidden urls once, after which the game is over. It will index the pages and keep a cache of it. You may want to consider including some noindex/nocache meta tags in these pages.

But seriously, if you wish to have it done properly and secure, you're going to need some form of shared user authentication that that portal and your site both support.

The solutions you have posted are not secure.

In case this is an enterprise application with real requirements for security, you may want to look at some single sign-on solutions.

List of single sign-on implementations