To clarify, here is the .htaccess file contents that give an INTERNAL SERVER ERROR. It includes both the blocked user agents AND the referer test code I added. The code worked fine until I added the last 4 lines.:

Options Indexes FollowSymLinks Includes

RewriteEngine on
RewriteCond %{HTTP_HOST}!^www\.mysite\.com [NC]
RewriteRule ^(.*)$ [mysite.com...] [R=301,L]
RewriteCond %{HTTP_USER_AGENT} ^badbot1 [OR]
RewriteCond %{HTTP_USER_AGENT} ^badbot2
RewriteRule!^403\.shtml$ - [F,L]
RewriteOptions inherit
RewriteCond %{HTTP_REFERER}!^http://([a-z0-9-]+\.)* mysite.com/ [NC]
RewriteCond %{HTTP_COOKIE}!(^¦(.+;)*)id=valid(;.*¦$)
RewriteRule /*$ http://www.mysite/copy.html [L,R]

[edited by: jdMorgan at 6:33 pm (utc) on Jan. 2, 2006]
[edit reason] Disabled smileys in code [/edit]

Just noticed a similar (but different) thread -
[webmasterworld.com...]

My problem: I've found several sites linking to just my swf movies in an iframe - all hosted on foreign domains/servers in different languages.

What I want to do: Only allow swf files to be called from html pages on my site.

- Do I need to use cookies to block bandwidth thieves? Is the code in the other thread just as effective?
- Is there a chance that I would be blocking more than just the thieves?
- If I decide to use the cookie method with the above script, does "RewriteOptions inherit" in my sample code have to come before "RewriteCond"? What's making it bomb?

Did fixing the missing spaces between "}" and "!" help with your 500-Server Errors?

You don't need to repeat the Options or RewriteEngine directives.

RewriteOptions is used (if needed) in subdirectories, in order to allow that subdirectory to 'inherit' the mod_rewrite rules of its parent directory. Many servers set this by default, and you shouldn't normally need to use it unless you find that requests for subdirectory URLs seem to by-pass your top-level .htaccess file rewriterules. If used, it should usually follow the RewriteEngine directive.

Blocking by HTTP_REFERER is an easy, but only partially-effective solution. Many clients won't send a referrer, and many times, corporate and/or ISP caching proxies and 'internet security' software firewalls will drop them. Also, many media players and plugins don't send a referrer. So, you end up allowing blank referrers so that your site won't look randomly broken, but this allows some hotlinking to succeed. Referrer-based anti-hotlinking works on static images and files often enough to dissuade casual hotlinkers. But if you need close to 100% effectiveness, then a cookies-and-script based solution is a better choice -- But obviously this will be more complex and require more work.

Jim

Thanks for your reply!
When I look at the code in notepad, the required spaces are there, however, spaces don't show up in the Webmasterworld post. This is a HUGE bandwidth problem. Reviewing my logs, I see one swf file has been called over 2000 times just today! The file is 120k. Several different domains are accessing the same file. I also see references without a referral. I have to stop these @#$#%! A side thought - if I use the cookie method, there may be some users that disable cookies that won't be able to view the swf. Correct? I probably should rewrite to a page that explains the activity can only be played if cookies are enabled.

So you don't see any conflict with the code below for a root .htaccess? Note: The pipe character is the full pipe and the required space between } and! are there.

Options Indexes FollowSymLinks Includes

RewriteEngine on
RewriteCond %{HTTP_HOST}!^www\.mysite\.com [NC]
RewriteRule ^(.*)$ http://www.mysite.com/$1 [R=301,L]
RewriteCond %{HTTP_USER_AGENT} ^badbot1 [OR]
RewriteCond %{HTTP_USER_AGENT} ^badbot2
RewriteRule!^403\.shtml$ - [F,L]
RewriteCond %{HTTP_REFERER}!^http://([a-z0-9-]+\.)* mysite.com/ [NC]
RewriteCond %{HTTP_COOKIE}!(^¦(.+;)*)id=valid(;.*¦$)
RewriteRule /*$ http://www.mysite/enable-cookies-explanation.html [L,R]

I have an external javascript built into all my pages that can load the cookie code in with one upload. I'm not a javascript expert, but don't see a problem with the following. Thoughts? Will it screw anything up forcing a cookie for every page in my site? I have several thousand pages in the site - about 1500 of them hold swf files.

function addbookmark()
{
bookmarkurl="http://www.mysite.com"
bookmarktitle="mytitle!"
if (document.all)
window.external.AddFavorite(bookmarkurl,bookmarktitle)
}
// Calculate the expiration date
var expires = new Date ();
expires.setTime(expires.getTime() + 1 * 1 * 20 * 60);
document.cookie = "id=valid; path=/" + "; expires=" + expires.toGMTString();

[edited by: jdMorgan at 8:43 pm (utc) on Jan. 2, 2006]
[edit reason] Smilies again... [/edit]

You'll also need to allow for users with JS disabled before requiring the cookie.

For another method that might be quicker, you could rename each .swf link on your site to immediately cut the hotlinkers off. This may or may not be feasible, depending on how fast you can upload new pages. Obviously, you'll want to use a multi-file search-and-replace tool to do this -- several freeware, shareware, and trialware packages available if you do a search.

We had a discussion [webmasterworld.com] here awhile back about a technique using SSI or PHP to "munge" the current date/time into each multimedia link on every page. Then we used mod_rewrite to validate the timestamp (allowing for slightly-old links due to caching) and rewrite the request to the actual multimedia filepath on the server. This actual content URL could not be directly requested by the user. This might be a workable solution for you if the cookies and script approach isn't workable.

Jim