Unique URL Every Time

You could use a partial implementation of JWTs to pass a unique token including identifying information and the requested post ID (or slug) as the endpoint, and check the identifying info upon validation.

URLs containing a unique token can be rewritten to pass the token as a specific variable. A 'parse_query' action hook can then check for the presence of the token variable, and replace the query with one that will return the proper post if the token is valid – or an error if it isn’t.

In this manner, only the visitor issued the token could use it to access the post (unless someone else both acquires the token and spoofs the original visitor’s IP – this could be further secured with a cookie or session ID of some sort). Forging tokens is impossible without your secret.

$secret="{insert randomly generated string here}";
$custom_post_type="my_cpt";
$unique_url_base="cpt";

add_action( 'init', 'wpse_212309_rewrite_unique_token_url' );

/**
 * Adds a rewrite rule to forward URLs in the format /cpt/{unique token} to
 * index.php?post_type=my_cpt&unique_token={unique token}. Supersedes WordPress
 * rewrites for the endpoint.
 **/
function wpse_212309_rewrite_unique_token_url(){
    add_rewrite_rule(
        trailingslashit( $unique_url_base ) . '([^\.]*.[^\.]*)$',
        'index.php?post_type=" . $custom_post_type . "&unique_token=$matches[1]',
        'top'
    );
}

add_action( 'parse_query', 'wpse_212309_decode_unique_token_query' );

/**
 * Replaces queries for the 'my_cpt' post-type containing a unique token with
 * the appropriate 'my_cpt' post if the token is valid (i.e., passed to the
 * server from the client IP to which it was assigned).
 **/
function wpse_212309_decode_unique_token_query( $wp ) {
    if( is_admin() )
        return;

    if( isset( $wp->query_vars[ 'p' ] ) || $custom_post_type != $wp->query_vars[ 'post_type' ] || empty( $_GET[ 'unique_token' ] ) )
        return;

    $post_id = wpse_212309_get_post_id_from_unique_slug( $_GET[ 'unique_token' ] );

    if( ! $post_id ) {
        $wp->set_404();
        status_header( 404 );
        return;
    }

    $wp->parse_request( 'p=' . $post_id );
}

/**
 * Encodes data into a URL-friendly JWT-esque token including IP information
 * for the requesting party, as well as an optional expiration timestamp.
 **/
function wpse_212309_encode_token( $payload, $expiration = null ) {    
    $payload[ 'aud' ] = hash( 'md5', $_SERVER[ 'REMOTE_ADDR' ] . $_SERVER[ 'HTTP_X_FORWARDED_FOR' ] );
    $payload[ 'iss' ] = time();

    if( isset( $expiration ) )
        $payload[ 'exp' ] = $expiration;

    $payload = base64_encode( json_encode( $payload ) );
    $hash    = hash( 'md5', $payload . $secret );

    return urlencode( $payload . '.' . $hash );
}

/**
 * Decodes a token generated by 'wpse_212309_encode_token()', returning the
 * payload if the token is both unaltered and sent by the original client IP
 * or false otherwise.
 **/
function wpse_212309_decode_token( $token ) {
    if( empty( $token ) || -1 === strpos( $token, '.' ) )
        return false;

    $token   = urldecode( $token );
    $token   = explode( '.', $token );
    $hash    = $token[1];
    $payload = $token[0];

    // If the payload or the hash is missing, the token's invalid.
    if( empty( $payload ) || empty( $hash ) )
        return false;

    $hash_check = hash( 'md5', $payload . $secret );

    // Has the payload and/or hash been modified since the token was issued?
    if( $hash_check !== $hash )
        return false;

    $payload = base64_decode( $payload );

    if( ! $payload )
        return false;

    $payload = json_decode( $payload, true );

    if( ! $payload )
        return false;

    $audience_check = hash( 'md5', $_SERVER[ 'REMOTE_ADDR' ] . $_SERVER[ 'HTTP_X_FORWARDED_FOR' ] );

    // Was this token passed to the server by the IP that it was issued to?
    if( $audience_check != $payload[ 'aud' ] )
        return false;

    // Does the payload have an expiration date - if so, has it expired?
    if( ! empty( $payload[ 'exp' ] ) && $payload[ 'exp' ] > time() )
        return false;

    // Token validated - return the payload as legitimate data.
    return $payload;
}

/**
 * Produces a token associating a post ID with a particular client, suitable
 * for inclusion in a URL. Optionally takes a "time to live" argument, in
 * in seconds, before the token should expire.
 **/
function wpse_212309_generate_unique_slug( $post_id, $ttl = null ) {
    $expiration = null;

    if( $ttl )
        $expiration = time() + $ttl * 1000;

    return wpse_212309_encode_token( array( 'pid' => $post_id ), $expiration );
}

/**
 * Returns a post ID from a token if the token was in fact issued to the 
 * requesting client IP, or false otherwise.
 **/
function wpse_212309_get_post_id_from_unique_slug( $token ) {
    $payload = wpse_212309_decode_token( $token );

    if( ! $payload )
        return false;

    return $payload[ 'pid' ];
}

How you actually send visitors to the unique URLs containing a token depends on your application (i.e. how you set up your “search tool”), but using the implementation above you can retrieve a visitor-unique slug for a post ID like this:

// A slug that only works for the visitor it was issued to:
$unique_slug = wpse_212309_generate_unique_slug( $post_id );

// OR, for one that additionally expires in an hour:
$unique_slug = wpse_212309_generate_unique_slug( $post_id, 3600 )

Related Posts:

  1. Custom slug in front of search URL
  2. How do i change the search permanent links
  3. add_rewrite_rule not working for language specific characters
  4. Changing the search URL?
  5. Rewrite: WordPress URL rewrite on Search
  6. Force search form to go to clean url without multiple redirects
  7. WordPress search rewriting
  8. Change /search to /somethingelse
  9. Page not found: Custom search form with a custom search page
  10. WordPress how to prevent URL encoding in URL of taxonomy terms
  11. Changing the wordpress default search url to something like – …example.com/search?query=keyword
  12. How to change search page url so that it still returns a page when there’s no search query specified?
  13. Redirect empty search to another page
  14. How to add Search URL parameters to a Page Template Page for Custom Post Type
  15. Why is there a 404 on page 2+ for my search page?
  16. Rewrite URL for Search + Special Characters / Umlaute
  17. Change the search URL
  18. How to turn off searching from URL and go straight to 404 page
  19. How to make custom WordPress page deliver search results
  20. Use a template file for a specific url without creating a page
  21. Using the Rewrite API to Construct a RESTful URL
  22. Adding rewrite endpoint breaks static front page
  23. generate_rewrite_rules (action) vs add_rewrite_rule (function): which one is preferred?
  24. Is the SEO plugin necessary?
  25. How to remove “admin.php?page=” from wp-admin using .htaccess?
  26. Changing directory and/or URL structure
  27. How do I add a add_rewrite_rule without it redirecting?
  28. Pretty URLs or permalinks for attachments
  29. How to prepend route with /blog for blog listing page only
  30. Need help with a custom rewrite rule – http://domain/custom post slug/replies
  31. Server (WordPress) redirects files that are not supposed to (using htaccess)
  32. Dynamically redirect page based on URL?
  33. Changing WordPress blog name and web address
  34. htaccess: Remove trailing slash from URL ending with .xml/ only
  35. Why is WP creating both “/?tag=” and “/tag/” URLS for same content?
  36. Using Blog Parent Slug on Blog Posts Only
  37. Regionalised Content
  38. Custom URL rewrite to specific page template
  39. Map alt domain to specific section of website w/o MU
  40. Get the category is not working on url
  41. Remap URLs from Relative to Absolute
  42. Have two different URLs show the homepage
  43. Double domain name in category URL-s
  44. Access files at new location using old file paths
  45. Adding special characters to slug?
  46. WP is ignoring .htaccess rewritten URL
  47. a one-off rewrite rule
  48. Get url-friendly version of the_title?
  49. Rewrite ugly URL to clean URL
  50. Url rewrite on index.php?term=[term_name]
  51. Translate custom post type and taxonomy slug in URL?
  52. Change pagination url format
  53. WPML language switcher for custom rewrite rules
  54. How can I change the permalink of a translated home page?
  55. How to write Rewrite rule for same path using Rewrite API?
  56. Add word to permalink when custom field has a value
  57. simple add_rewrite_rule added, refuses to work
  58. 301 Redirect all posts urls from .html to / (without .html)
  59. Capturing /page-name/[0-99999] in both template and number
  60. custom wordpress rewrite
  61. Keep requested/entered url with add_rewrite_rule
  62. Get wordpress installation folder
  63. Disable WordPress from changing URL slug when post is published
  64. Two sets of url one content?
  65. Rewrite Rule for homepage not working correctly
  66. Remove wp-admin from the URL
  67. WordPress .htaccess ignore path and subsequent .htaccess files in subfolders
  68. Adding Rewrite URL for Base + Children Separately
  69. How to customize sub-URLs in a wordpress website (.htaccess)
  70. Rewriting a date hierarchy into a ‘yyyy-mm-dd’ slug
  71. URL rewrite( I think? )
  72. custom url – add attachment’s id or name after post
  73. Help with WordPress custom url rewriting?
  74. loading images, css and fonts from site url
  75. Query vars to return the homepage
  76. dynamic URL rewrite
  77. Rewrite Search URL Permalink For CPT Custom Taxonomies
  78. Remove part from dynamic url and redirect
  79. Rewrite rule can’t get the ID from rewrited
  80. How to Update / Change URL when Popup Modal Loads?
  81. How wordpress core include search.php with $_GET[‘s’]?
  82. Dynamic Content w/ geolocation in WP?
  83. Routing in WordPress
  84. url redirect none www to www
  85. Stop wordpress from prettify URL
  86. How to remove Base URL Duplication?
  87. Rewrite URL query string for all pages
  88. WordPress doesn’t remember my custom rewrite rule
  89. Custom urls in WordPress involving page slugs
  90. how to change some of the rules in the database
  91. Rewriting URLs with query strings and preserving them
  92. Custom Rewrite for Profiles
  93. Pagination posts. Url format
  94. how rewrite is working in wordpress
  95. How to prevent URL-modification when page title contains digits only?
  96. How do I display a friendly URL link in the frontend?
  97. rewriting an Url
  98. Please give me the rewrite rules for my ugly urls
  99. Rewrite rule to simulate page hierarchy results in 404
  100. add_rewrite_rule not working with custom variables

Leave a Comment