Library Authentication Tokens with Referring URL Authentication

The library providing the access must credential each library patron being sent to Books24x7. These credentials are provided in the form of authentication tokens; each user is assigned a single, unique and constant token by the library.

All patrons being delivered to Books24x7 must first arrive at the following base URL (the library access page):
http://library.books24x7.com/library.asp
In order for authentication to succeed, you must provide Books24x7 with the URL that is being used to refer patrons to the library access page above. This is the Referring URL and it will determine whether access is to be granted for each user.
The first of two mandatory parameters is the subscription code as provided by Books24x7. The purpose of this parameter is to identify the library’s subscription.
site=YOURCODE
The second mandatory parameter is the authentication token. This is the unique and constant token that is provided for each patron.
token=THETOKENVALUE
Example. If your subscription code is GG3K1 and you wish to send a user who’s calculated token is 394FAD2940C, then you would create the following complete URL for the user to follow.
http://library.books24x7.com/library.asp?site=GG3K1&token=394FAD2940C

In order for patrons arriving from your site to be successfully authenticated, they must arrive at Book24x7 from a link found on the library’s own website. Furthermore, the access to this URL must be restricted - it must not be an openly accessible location from the internet. In order to view the page which links to Books24x7, the patron must first authenticate themselves into the library’s website.

It is important that the correct Referring URL as seen by Books24x7 be provided. If you are unsure of the final form of the URL that patrons will be presenting to Books24x7, you can follow this procedure:

Follow the link from your website to Books24x7 (http://library.books24x7.com/library.asp?site=YOURCODE)
If you have previously provided us with referring URL values you may successfully establish a session. If you have not, you will be sent to a page indicating that you must login through your library.
In either case, type in the following URL after you have attempted to access the service:
http://library.books24x7.com/diagnostics.asp
Make note of the referring URL and the IP that is displayed – these are what you will need to communicated to Books24x7 to complete your configuration. Also make note of the site code being shown and confirm that it does correspond to the one provided to you by Books24x7 and that it matches the one that you used in step 1 above.

Note: because of how most web browsers operate, it is important that users display the web page corresponding to the referring URL in their browser. If a user were only redirected to the referring URL from the welcome page at the library, and then immediately redirected to Books24x7, then they would not have the correct referring URL. A redirection response from a web server will not produce a Referring URL HTTP header; it will simply forward any Referring URL header that it sees.

It is recommended that the library calculate a token for each user based on the whatever credentials the library as used to grant them access to their own restricted website. This could be a networkID, or a studentID, or a library card number. In order to protect the privacy of the library patron, the library can use a calculation to obscure the actual value of the credentials. We recommend that standard encryption be used to obscure the value presented to Books24x7.

We do not recommend calculating authentication tokens using a one-way hashing or checksum algorithm such as MD5. Though this will technically meet the requirements of uniqueness and constancy, it may prove to be impractical. Should issues arise with particular patrons, Books24x7 will provide to the library the token used by that patron. If a non-reversible encryption has been used the library would be unable to decrypt to token in order to identify the actual patron.