My content locking solution (secure and cloaked)

Discussion in 'CPA' started by moanon, Apr 22, 2015.

  1. moanon

    moanon Registered Member

    Aug 30, 2014
    Likes Received:
    near Vienna, Austria
    Hi there ;)

    I just published an article on my blog which is about content locking so I thought I'd share it here. I don't want to say I'm a pro at this stuff or something but it's also more from a programmatically point of view.
    I hope I don't break any rules when I copy+paste the blog-post here and add a link at the bottom. If so, mods please feel free to remove all this, just don't get your banhammer out please I love this place haha :p
    There's also an article on scraping google on the blog if someone's interested :)

    Here's the article:

    The problems and what I wanted to achieve

    When looking at some content locking solutions I came to the conclusion that most of them are pretty insecure. I mean they just add some overlay over the content? Ever heard of developer tools? You can just remove this stuff by deleting it from the HTML markup. I mean most people may not know how to do this and maybe this isn't too much of a problem but e.g. I know someone who has a page in the gaming niche where he would give away stuff which costs him 30-40c for every lead someone gets him. Unlimited. Now think someone could go around this, that would be pretty bad.

    The next thing is when you're doing stuff which is a little bit "blackhat" you maybe don't want your CPA network to see where the guys filling out the offers come from. So you need some way to "cloak" your locked pages.

    Another problem I had was that I needed a way to let the user see the content only one time and really only one time, so when he reloads the page it should be locked again immediately. Most content locking solutions I saw would relock the page only after some time span like min. 24h.

    My solution

    This whole thing is split into two parts:

    • the page with the offers (let's call it "offer-page")
    • all pages where content needs to be locked ("content-page")

    But how to connect them?

    The idea here is that on the "offer-page", when someone fills out an offer and generates a lead it shows some kind of "key" (random generated hash). This page has an API which allows you to "talk" to it from another page and check if a key is valid.

    The "content-page" shows at first only a form with an input box for such a key and some notice like "You need an unlock key to view this content" along with a link that says "Get your unlock key here!" which points to the offer-page. When an unlock key is entered on the content-page it will make a request to the offer-page to check if the key is valid and if it is it show the locked content.

    The offer-page

    Let's go into more detail about this.

    What do you need

    • a domain and hosting naturally
    • an API from a CPA network
    • a database

    How to set it up

    You need a frontend for the user which displays the available offers. Pull the data for the offers from the API of your CPA network and display it on the page.

    Now you'll need a JavaScript which sends AJAX request back to the server to check if a lead has been generated. This should send back false if no lead has been done or otherwise a key. This JS should send the requests back every few seconds and should first start with this as soon as someone clicks on an offer. This is because you need to display the key to the page and you can't really tell the user to refresh the page every now and then.

    On the server this check should do the following:

    It checks the API of the network with the IP of the user. If the lead count is more then 0 it should generate a key and store this key into a DB table and send it back. Now there's the problem that the lead count will stay at 1 also if a key is generated already so what I did was make a second DB table which stores the IP of the user and a counter that's always set to the lead count when a key is generated. That way also if you get 1 lead back from the API but 1 key was generated already it would still not count as lead and wouldn't create another key.

    When doing it that way you should always get the all time lead count from the API or otherwise set an expiration time in the IP database.

    Now when the JS gets a key sent back from the server it just removes the offers with something like "Your unlock key is: [key]".

    Now the user has a key and this key is stored in your database.

    The last thing you'll need for this offer-page is some API endpoint where you can send a request to from another page, including a key, and which sends back either if it is valid or not. Since we only want the user to see the page a single time it also should delete the key from the database after confirming it true.

    The content page

    The scenario is that the user can view the page only once with a key. Therefor when he loads the page he has a possibility of entering a key and if it's valid the real content shows up.

    For this the easiest way to achieve is in checking the request method. When the user enters a URL in the browser or gets to the page it's always a GET request. But if he submits a form a POST request is done. So in the background it checks for this and sends back the key form if it's a GET request. But if it's a POST request which includes the key it sends the key to the offer page via API call and if it's a valid key it sends back the real content. Otherwise it again just sends back the key form (maybe with some "invalid key" message).

    That's it.


    • People can't just remove some elements from the HTML markup and go around the locker
    • You can use the offer-page for any content you want to lock, on any page. Could also easily be built as WordPress Plugin.
    • For your CPA network all leads and clicks are coming from one single page and if you do blackhat stuff and they ask you where your traffic is coming from you could easily fool them since you can lock stuff on any page. Just take some legitimate blog, add the key form lock to some articles and tell them that's where your traffic comes from
    • You could also include multiple CPA networks API's so you would have even more offers to show and that could make you more revenue per lead since you could place more rentable offers on the page
    • You could be sure people have to fill out an offer any time they want to see that content again


    Maybe this gives someone some ideas, it's not a step-by-step instruction but more of a guideline but I think it's pretty useful for some projects. Also this could be adjusted for other scenarios quite easily.

    I hope you guys like it :) here's the link to the article:

    • Thanks Thanks x 1
  2. pasenseoso

    pasenseoso Power Member

    Aug 19, 2011
    Likes Received:
    - - P I L I P I N A S - -
    Home Page:
    I actually did it years ago but with a custom content locker. I used different locked pages for different things to download but only ONE download page. Each time a visitor visits my locked page, a cookie is dropped in the browser. Once he activate the locker and complete an offer, he is then redirected to the download page and the page will check the cookie if what particular locked paged he has been.

    Then a script will try to find what appropriate download will be available for the user. No addition database is required. It's only trying to stress the browser. Plus the user can't visit locked page and jumps to the download page simply because I have used some redirects to another domain which is masked which drops another cookie based on the previous cookie dropped then redirects to the main download page. I have no scripting knowledge. I just used if statements and cookie check scripts on php tutorials. :)
    • Thanks Thanks x 1
  3. cookiemonste

    cookiemonste Regular Member

    Aug 9, 2009
    Likes Received:
    I've found that having the content visible behind the locker increased my CR more than completely hiding/securing the content behind the locker and preventing 'inspect element' bypassing.
    • Thanks Thanks x 1
  4. jo080711

    jo080711 Regular Member

    Jan 7, 2015
    Likes Received:
    This is definitely pretty useful, thanks!
    • Thanks Thanks x 1
  5. moanon

    moanon Registered Member

    Aug 30, 2014
    Likes Received:
    near Vienna, Austria
    Sounds nice and respect for achieving this without scripting knowledge, not bad :) Sometimes such kind of solution is better then the standard implementations in my opinion. Beside having a more secure solution I like to have stuff reusable. May take some more of your time in the beginning but could save you some in the longer term ;)

    Thanks for the input :) I will update my blog post to mention this ;) It's just more tempting for the user to get the content when he already sees what he's about to get I guess, but you could also make it look like the content is already there with setting a background image or adding a screenshot or something like this. depends on what you're offering a little bit I guess ;)

    Glad you liked it :) I'll try to cover more topics which might be useful for some of the BHW guys here so be ready for more to come ;)