Allow login to website only if request comes from another specific website

Question

I have a PHP/MySQL website (website 1) that has a login system that only asks for a PIN code (just a long numeric string). A user has 2 ways of login in with this code:

Answer 1

I'm going to post this answer that I came out with thanks to the other answers/comments made by fellow SO users. I think it's a pretty simple method (simplicity is good in this case), and that it should work, but of course if it has any big flaw I'd be great to know :)

Like I say in the OP, security (in terms of some savvy user getting around this and using the link directly instead of from website 2) isn't a huge deal here, we can deal with a small number of exceptions.

Here's the idea:

• Give the user in website 2 a link to a function in that same domain
• That function grabs the PIN (i.e. 1234567890) that each user will have, and the current timestamp (i.e. 1417812842), creating a token using those 2 values, using another function that both websites will know (some sort of hashing with salt, for example)
• Generate a redirect from website 2 to website 1, with a URL that includes the PIN and the token, something like: http://myURL.com/process_login_request.php?pin=123456789&token=abc123def456
• A function in process_login_request.php, using the same function that was used to generate the token in website 2, will generate a number of tokens for the past X seconds (let's say 10 seconds), using the PIN and the timestamps for the past 10 seconds.
• If any of the generated tokens match the received token means that the request was OK, and we allow the login

I think it's easier to implement than to explain though. The idea basically is that we use timestamps in a short period of time (the time between the user "clicks" the link that should take him to website 1 and the time he actually lands on website 1). I said 10 seconds, but we could increase that as necessary if 10 seconds is too short (which I think it shouldn't be).