Problem: A download link should be displayed in a user's home page. That download link should ONLY be accessible if the user logged in.
But the real problem is that the user's home page and the download link are on separate web servers.
Is there a way I can send a token with the download link and validate it there?
If the user clicks the link, he is going from his server to your server.
And if he is logged in on your server, then you can do whatever checks you need since he is trying to access the file on your server. Even though the link is displayed on some other server.
That is if you are using sessions to keep the user logged in, it should be enough in the download code to start the session with session_start() and the user should get logged in session he has already.
users server = serverA.com
your server = serverB.org
if i understand it right, the problem is, that the user is only logged in on server A, but not on server B, and there's no way to share the session state (e.g. session handling over a database)?
from the top of my head, i can think of one option:
server B simply asks server A
means: link on serverA contains the users session id*. serverB then asks server A if the session is valid.
you can't do it without communication between those two servers.
* note: instead of the session-id it would be better to use a random token. session ids should not be private.
that won't stop your users to share the url, so if they want someone else to download the file, they can simply pass the url around. on the other hand, a malicious user could also do this with his session-id.
You could make the download link submit a form with the user info to the target server. There are security implications in doing that, because the login info would appear in the source of the page as values for hidden form fields, so perhaps that not the way you'd like to go.
A second option would be to store the session info in a database, and then simply pass the session key to the new server. This would require the second server be able to contact the first server's database and run a query on it. Setting up a username with permissions to login from that server for read access should be sufficient to do that without opening many security holes.
Finally, you could set up a web service on the first server that would return a yes/no answer when given a username, verifying the logged in status of the user. The receiving link on the second server would then take the username and verify the logged in status before building the response.