How can I make a secure converson tracker with an img or js tag?

Question

I have a client who is deploying a simple affiliate program. Currently, if a visitor comes through the affiliate link, a cookie is set on a third party domain that does the affiliate tracking.

If the person purchases something, a tracking pixel is fired that sends the record to the 3rd party domain.

Obviously this is completely insecure. If someone gets the img or js code, they can just launch a bunch of sessions on different ips and make those requests and the affiliate software will record them as conversions.

The client has no ability to add any server side code, so I can't do a simple server to server call.

Is there any way to create a secure solution using just an IMG or Javascript? I think it's not possible, but maybe I'm not thinking of something.

Answer 1

If there is any user-specific or sale-specific information on the sales page, you could use JavaScript to grab it and send it along inside the query string of the IMG request.

For example, if you have a invoice number, sale ID, or username on the page, and JavaScript can navigate the DOM to retrieve it, you could append that information. Even if a malicious person forges it (creates fake usernames or forges invoice numbers), you're much more likely to catch a bunch of invalid usernames or invoices that don't match sales records.

It's not 100% secure, but it gives you a little extra information that's harder to spoof.