1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 8:53 pm May 2, 2026

Forum Moderators: phranque

Message Too Old, No Replies

Rejecting Users

         

Not academic

10:40 pm on Mar 19, 2008 (gmt 0)

10+ Year Member



Hello,

I run a small website. I have the following code in my .htaccess file

RewriteCond %{HTTP_REFERER} !^http://domain-removed/.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://domain-removed/.*$ [NC]
RewriteRule .*\.(jpg夸peg夙if如ng在mp存wf圩lv屹ip圯xe寺ml)$ - [F,NC]

This works very well for me. I want to go a step further and FAIL any access where the Referer is blank/empty.

I have messed around with the above code hoping to modify it but it lets me down when someone enters just the domain name in their browser.....instead of getting index.html they get the fail message.

So, I am missing something, and I dont know where to look...can anyone help please?

Many thanks in advance......

Xapti

11:50 pm on Mar 19, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



I don't get what you want though... when you just type in the address there is no referrer, what are you expecting?

jdMorgan

1:00 am on Mar 20, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The code above blocks access only to media, zipped, executable, and xml files. It will block many innocent users who connect to the 'net from behind corporate or ISP caching proxies -- all of which may remove the HTTP_Referer header without the user's knowledge.

The HTTP_REFERER header is optional in HTTP and as such, you should always *allow* it to be blank. This does indeed constitute a "hole" in your access control, but one you must live with if you want those visitors.

If you need more-reliable access control, then using a cookies-and-script method is one way to implement it; Set an "access-allowed" cookie on your 'entry' page, then check for it and warn the user to enable cookies if it's not set, and then refuse to serve protected content to any visitor who does not have your "access-allowed" cookie set. You can expire the cookie when the browser session is closed, after a fixed period of time has elapsed, or change its value to "not allowed" after the visitor leaves a particular area of your site.

So, fixing your existing code to allow blank referrers and cleaning it up a bit, we get: 


RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://domain1-removed [NC]
RewriteCond %{HTTP_REFERER} !^http://domain2-removed [NC]
RewriteRule \.(jpe?g夙if如ng在mp存wf圩lv屹ip圯xe寺ml)$ - [F,NC]

Jim

jdMorgan

2:56 am on Mar 20, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



Forgot to mention:

Replace all broken pipe "¦" characters above with solid pipe characters before use; Posting on this forum modifies the pipe characters.

Jim

Not academic

9:42 am on Mar 20, 2008 (gmt 0)

10+ Year Member



Hello,

Many thanks for the above. The final part is taking me in the direction I do not wish to go in. Perhaps I did not express myself well enough.

Coming at it from a completly different angle.....

Want : Type web address or Navigate from any existing page

Not Want : Type full address of page which is other than Index/default page

I realise that you have already mentioned the Cookie solution. That might be beyond my abilities...but I will research it more.

If my reply changes your view of what I want do please jump in.

Regards.....

 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 8:53 pm May 2, 2026