The company that I work for is wanting to provide a means of allowing our client to provide links to our site for the purposes of allowing their own clients to schedule a payment to them through us.
We want the solution to be as seemless and easy to use as possible. Our clients are not likely to have the ability to do any sort of programming our scripting on their side and so we want to simply provide them with a link that they can use that will reliably identify which of our clients sent this person to our website.
My first thought was to simply use the query string to pass along their unique identifier as a parameter. We would generate this link for them and even host an image for it on our own servers. We do not want their identification number to be accessible to observers, nor do we want our clients to have to make their own links.
The only solution that we've come up with is to simply encrypt our local identifier with a timestamp, store the creation event in our database and use this information to check against the provided encrypted value in the querystring when we get hits to our site.
This prevents data from leaking out (so far as we can tell) but does nothing to prevent anyone from copying the link and using it anywhere (but really, we want our clients to just be able to stick it anywhere and just work).
Are we making significant tradeoffs in terms of security for ease of use? Should we instead just setup an account to be used by anyone at that particular client of ours to at least enforce the "idea" of security (a shared login for all of their clients isn't very secure either, is it?)
Ultimately our goal is to make this a fast, transparent process. Do we have to sacrifice security to make it fast and transparent?