That's a conundrum, because you need to allow for a blank referrer if people come from the other site without a referrer, while blocking people who are not coming from another site and hence have no referrer.

There is apparently a significant logic error in the Allow/Deny section. There is also a lot of redundancy at several levels, and several literal-character escaping problems. I would suggest replacing all of the code above with just this:

SetEnvIfNoCase Referer "^https?://(www\.)?mysite\.com" allow_link
SetEnvIfNoCase Referer "^https?://(www\.)?site-allowed-to-link\.com" allow_link
SetEnvIf Referer "^$" allow_link
#
<FilesMatch "\.(css¦js¦gif¦png¦jpe?g)$">
Order Deny,Allow
Deny from all
Allow from env=allow_link
</FilesMatch>

Replace the broken pipe "¦" characters with solid pipes before use; Posting on this forum modifies the pipe characters.

Jim

That code didn't work. Pretty much didn't do anything. The code originally worked better. With your code you can type in the url to the image and see the files. With both codes the other problem is that the allowed site can link to the css file but the images in the css file do not show on the allowed site. This doesn't even need to be a filesmatch could be anything else. I just need a folder per referrer that only that referrer can link to.

There are two basic problems. First, it appears that you did not completely flush your browser cache before testing and between tests.

The other is more fundamental, and that is that the referrer header is not required in HTTP, it is optional. Therefore, internet security software, and corporate and ISP caching proxies (used by all AOL and Earthlink customers for example) do not send the HTTP Referer header with their requests.

When a URL is typed-in, or requested via JavaScript in Internet Explorer (specifically), there is no referer. SImilarly, when a search engine robot requests your pages, there is no referer.

Therefore, you are asking for a solution to an impossible problem if the solution is based on the HTTP Referer header: You must allow blank referrers for your images to load (even for your own site) for a significant number of users who due to their ISP, will send no referer, and likely also for search engines which send no referer, and yet you don't want to allow type-ins, which also won't have a referrer.

The code I posted is dirt-simple, works on tons of other servers, and should work for all other "unwelcome hotlinking sites", assuming that you replaced the broken pipe characters as advised above. However, you must flush your browser cache, or your browser will simply show you its cached version of the page and server response headers, until whatever expiry time you have set has passed. If you have not configured your server to send Cache-Control and Expires headers, then your browser will show you the cached pages and responses until that cache entry is so old that it is replaced with a new page, based on typical oldest-cache-slot-first replacement in the browser.

Now, back to the original problem. As g1smd stated, and as I re-stated, you've got a conundrum: You want to block blank referrers from some sites and from type-ins, and yet you don't want even your own site to appear broken for users who for one reason or another send no Referer header, or have it blocked unbeknownst to them.

One way out of the sack is to use scripting to set a cookie on "authorized pages" of your site, and to check that cookie before serving any of your restricted content-types. If the cookie isn't set, then return a 403-Forbidden or blank or alternate content.

But this will take some special work-around to allow that other site to hotlink your stuff. Because cookies are only visible to the domain that serves them, I don't see a good solution for that right now.

Jim

Oh, one more point. You may have only one "Order" directive in any given .htaccess file, unless they are specified in completely-mutually-exclusive containers (such as <FilesMatch>, <Files>, <Limit>, <LimitExcept>, etc. Whatever Order is the last one to be specified in the scope of the request will be used.

Jim

maybe i'm confused but the code you provided does not block someone from typing in the url to say an image or even the css. The code I originally posted allows a css file to be linked but does not show the images specified via the css. Not only does the site need access to the images so does the css file.

If in my code i just put this (below) with just css it allows the css to pull the images but then you can type in the url to the images. So I guess there is a problem with css and this type of deny allowing.

<FilesMatch "\.(css)$">
Order Deny,Allow
Deny from all
Allow from env=a

so this code actual worked for me

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite.com(/)?.*$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?linking-site.com(/)?.*$ [NC]
RewriteRule .*\.(gif¦jpg¦jpeg¦bmp¦css¦png¦js)$ - [F,NC]

Great. Now visit your site from behind a caching proxy, like all AOL and Earthlink users and many corporate users, and you will find that every image on your site shows as "broken" and your pages are unstyled...

To speed up the code, get rid of the redundancies:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite\.com [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?linking-site\.com [NC]
RewriteRule \.(gif¦jpe?g¦bmp¦css¦png¦js)$ - [F,NC] 

Again, you'll either need to allow blank referrers, or staff-up your 24-hour help desk.

Jim

The question is how come if i only specify the css with a blank referrer then the code you originally posted works fine. Only the sites I say can link and you are not allowed to directly type to url. The images are pulled by css but you can type url to images. If I put png jpg or any other file type it breaks and the css does not work right.

Why would it treat different file types differently?

The question is how come if i only specify the css with a blank referrer then the code you originally posted works fine. Only the sites I say can link and you are not allowed to directly type to url. The images are pulled by css but you can type url to images. If I put png jpg or any other file type it breaks and the css does not work right.

Why would it treat different file types differently?

I have already explained in several ways that sending an HTTP Referer header is optional for HTTP clients, and this is why you cannot achieve a reliable solution to your problem based on checking HTTP Referer headers.

The most likely cause is that image requests sent by the browser when requesting CSS backgrounds are not sent with a referrer.

Use the Live HTTP Headers add-on for Firefox/Mozilla-based browsers to investigate this behavior with Mozilla-type browsers. I'm not aware of any equivalent plug-in or tool for IE, and it wouldn't surprise me if IE's CSS-image-fetching behavior was different, either.

As I'm quite sure you can't get a reliable referrer-based solution to your problem, I can only advise you that you're wasting your time with this approach, and if this is really important to you, then you need to look into more-reliable script-based methods, as described above.

Good luck,
Jim

thanks Jim for all the help! It's not crazy important just a deterrent for those thieves.