| 6:09 pm on Nov 8, 2011 (gmt 0)|
|Is there an alternative approach |
scripts and/or session ID's.
| 10:16 pm on Nov 8, 2011 (gmt 0)|
|Is there an alternative approach, perhaps by giving permission to the html pages that display the images but denying other access? |
That's what you're already doing in your hotlink-blocking routine. But you're right that denying all null referers will exclude some legitimate human visitors. And then you have to start making exceptions for the ever-growing list of google translation and allied services that, again, involve perfectly legitimate humans.
But how are they getting into the file path in the first place? If you've got auto-indexing turned off-- which you should do by default anyway-- they'd get hit with a 403 before they ever see the files. In fact that's what 403 means to an ordinary human: not "Go away you evil robot" but simply "This directory doesn't have an index".
| 8:55 am on Nov 9, 2011 (gmt 0)|
Thanks Wilderness and Lucy for your responses.
| 10:54 pm on Nov 9, 2011 (gmt 0)|
If the pictures are important and you really need to exclude people who enter the exact filename "cold" (as opposed to prowling about the directories), you may have to lock out some innocent users. It's one of those icky trade-offs.
Apache itself can't distinguish between where the user actually is-- that is, on your page or just sitting in front of a blank monitor-- and what they did to get to a picture. To your htaccess file, there's no difference between blatant hotlinking and "click to see full-size image". And there's no difference between the various kinds of null referer.
It can mean at least three different things: The user entered the filename directly (or via a bookmark). The user's browser and/or IP doesn't send referers. The user deliberately configured their browser not to send referers. If you lock out groups 1 and 3, you're also locking out group 2.
You can set cookies that tell you whether the user really is on the page that's requesting the image. But then you have to deal with the various reasons for people turning off cookies. Some sites put up a little message saying "To use this page, you must have cookies enabled in your browser." Usually they say it before even trying to write a cookie, which makes no sense to me.
And then you have to run two different hotlink routines: one for the bona fide hotlinkers, another for the people who might be unuspecting victims of their IP, or using a public terminal where they can't change the settings. You don't want to scream NO HOTLINKS in green-on-magenta (that's what mine does ;)) at people who aren't doing anything wrong.
It is probably impossible to keep people from downloading an image that they arrived at legitimately. You can only make it more hard or less hard. But at least they've seen it in context once.
| 6:01 pm on Nov 14, 2011 (gmt 0)|
As you say:
|You can only make it more hard or less hard |
I have probably done enough. I've managed to avoid cookies so far but thanks for the suggestion.