How to confirm that user owns website like Google Analytics?
https://stackoverflow.com/questions/4420205
-
08-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I want to implement a script for users to confirm that a website is owned by them (or at least they have control over it) like how Google Analytics does it. What is the most secure way of doing this? I know Google Analytics require you to upload a script to your site's root directory, but are there other ways of doing it? Also, how does Google Analytics accomplish this?
Solution
Google Analytics does not require that you upload anything to your root directory, nor does it require that you own your domain. (It does provide an optional validation service, where it will try to tell you if you've added the Google Analytics snippet to your pages.)
Google Analytics accepts any hits to a particular account, and doesn't validate who owns what site. (This can rarely cause problems if someone grabs your Google Analytics snippet, account number included, and uses it on their own site, but that data can easily be filtered out.)
Some tools, like Google Webmaster Tools, require that you certify that you own a website.
The two most common ways of certifying ownership of a domain are:
- You are asked to upload a file with a particular name to your root directory, and it checks it.
- You are asked to create a DNS record with particular values, usually a CNAME record.
In both cases, the services checks if the change has been made, usually allowing the user to initiate the validation check (after they've completed the steps). Presumably, by using something like curl to see if the file exists, and/pr by pinging the domain's DNS to see if the record exists.
EDIT:
So, the common method of doing number one is to instruct them to create a file with a particular name and particular contents. So, let's say you tell them to create a page called bz239239239.html, and tell them that the file should contain the text checkbz239239239.
Then, to validate that they followed your directions, (PHP sample)
$contents = @file_get_contents('http://example.com/bz239239239.html');
if(strstr($contents, 'checkbz239239239'))
{
return true; //this condition means that the page exists and it contains the text that it should.
}
I'm not an expert in DNS, but my understanding is that DNS is considered to be as secure as the site itself. ie, you can assume its secure, but it is in theory possible for it to be hacked, but at that point, the entire site itself is compromised, which is their problem, not yours.
