Allow login to website only if request comes from another specific website

Question

I have a PHP/MySQL website (website 1) that has a login system that only asks for a PIN code (just a long numeric string). A user has 2 ways of login in with this code:

Answer 1

The problem is multi-faceted. $_SERVER['HTTP_REFERER'] is available to PHP, but can be spoofed or omitted and is considered unreliable.

Cross-domain cookies are a bit of a challenge as well; I understand it's possible, but haven't yet found time to implement it (we have a use case at work). At any rate, cookies, are also quite exploitable.

Possibly your best bet would be to have the link point on "Site A" point to a resource also on "Site A" that sets a random key/token and timestamp into a shared database and fowards the browser to "Site B" with that token. The receiving page on "Site B" would then verify the existence of the key/token in the GET string, check for its existence in the database and possibly match the User-Agent and Referer data and checking that the time was within $smallnum seconds after the timestamp entry for that key/token.