That code is not valid for use in .htaccess -- are you sure it's not a PHP script of some kind?

In most cases, simple referrer-based anti-hotlinking schemes don't work for media files. That is bacause most media players don't send an HTTP_REFERER header to the server. But, you can't block blank referrers, because many ISP and corporte caching proxies drop referrers, and many "Internet Security" software packages block them. Also, browsers such as Firefox and Mozilla can be set to block the sending of a referrer headers. So if you blocked blank referrers, you'd block many legitimate visitors.

So the usual approach --and it looks like you have part of it-- is to set a cookie on one or more "authorized pages" of your site, rewrite all media file requests to a script using mod_rewrite, and then use the script to check the cookie. If the cookie is valid, then do the readfile($file_path); to 'pipe' the media file to the authorized user through the script.

Jim

Hello Jim,

Well were talking about simple download modules used in a cms.
But thery are not waterproof.

so what happens is ,is that they find out your download directory very easely.
so were talking about zip and rar files....not other media....
So as you described is THE approach to stop hotlinking..?

Hi John. Instead for serving a short 403 the way you do to save on bandwith, could one not just use

<Limit GET>
order deny,allow
deny from .spammersite.com
allow from all
</Limit>

to block log spamers?

janbeeu,

That will simply serve the existing 403 error page in response to requests from the server of the site that links to his content. It will have no effect on visitors following links from that site.

john1000,

*IF* most of the download attempts are accompanied by an HTTP_REFERER header (check your raw access logs), then a similar approach to that posted by janbeeu would reduce their success rate. It will not stop determined, knowledgeable downloaders, though, and is only good enough for "emergency use" while you develop a better method using cookies and a script:

<Files "\.(zip¦rar)$">
SetEnvIf Referer "hotlinking_site_domain\.com" getout
Order allow,deny
Allow from all
Deny from getout
</Files>

Or alternately:

<Files "\.(zip¦rar)$">
SetEnvIf Referer "your_domain\.com" allowit
SetEnvIf Referer "^$"
Order deny,allow
Deny from all
Allow from allowit
</Files>

Note that understanding the Order directive is critical. It sets the evalutation priority of the allow and deny directives -- In other words, whether allow overrides deny or vice-versa.

See Apache mod_access [httpd.apache.org] and mod_setenvif [httpd.apache.org]

Another emergency method is to simply rename the folder every day. But this requires you to change all links on your pages as well.

Jim

Hello,

Thanks guys for the reply...

This isnt my problem of hotlinking but of hundreds of sites....
But the clue in this is.....
THEY KNOW THE DOWNLOAD DIRECTORY AND FILE....
So to explain it even more....

lets say my site is www.mysite.com
my downloads directory is "dl"
so it would be ..www.mysite.com/dl/

so i have a file called secret.zip
so the download address would be ...www.mysite.com/dl/secret.zip still following this?

ok lets say...a hotlinker found my dl address and put that download on his site,but the download is from my server...

so how do you stop that?
Thats what this is about....

The above soloution?

So they're linking directly to the *.exe or whatever, rather than to a page?

If the file in question is within its own directory, I would use a directory-specific .htaccess file, and try something similar to hotlink protection.

# Turn Rewrite on:




RewriteEngine on

# Allow referrals from your own site:




RewriteCond %{HTTP_REFERER}!^http:// yourdomain .com/.*$ [NC]

# Send enquiries to another file:




RewriteRule .*\.(exe)$ /emptycode.exe [R,NC]

The above is only my guess as to the general structure of what might work. If somebody else says something different, go with that instead.

Eliz.

yes your basically right ,only were talking about zip and rar files...

but indeed.....how would you file if you create something and someone knows the download address and puts up a link to it?
For a file of 2kb it seems litle but it could just as well be a file of 10mb.

Ok so an example...
<a href="http://www.penreader.com/download/uiq/SlovoEd_Bundle_Ula.zip" >hotlinked</a>

The above link is open and not stolen but suppose it was?
How can penreader.com prevent me from doing this?

Cause naturaly we cannot post active links here but if we could (like this topic is all about) then we could download it and he wouldnt know..

I've got a number of .ZIP and .hqx files I don't want directly accessed from other than links on my server because the files have introductions and instructions. So I handle off-site links to those files by redirecting people to a special info page on which they'll find the links to the files --

That's probably clear as mud (sorry!) so here's how it looks...

For the purposes of this example, the site "mysite.com," the file is "FILE.ZIP" in the "downloads" directory, and the info page is "info.html." (So much for originality:) Anyway, here:

public_html/downloads/FILE.ZIP
public_html/downloads/info.html

Okay. So I have one .htaccess in public_html w/ the usual anti-robot stuff, etc. PLUS I have a SECOND .htaccess *in* /downloads/ :

public_html/.htaccess
public_html/downloads/.htaccess
public_html/downloads/FILE.ZIP
public_html/downloads/info.html

Now, in the /downloads/ .htaccess, I have the following:

RewriteEngine on
RewriteOptions inherit

RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mysite.com/.*$ [NC]
# next line is mysite.com's IP in case people use that
RewriteCond %{HTTP_REFERER}!^http://987\.65\.43\.21/.*$ [NC]
# finally, here's the rewrite
RewriteRule ^FILE\.ZIP$ [mysite.com...] [R,L]

Bottom Line:

If someone tries to access FILE.ZIP and they're not on my server, they can't. They're redirected to "info.html."

Hoo-boy. Hope that helps!

This *is* a hot-linking problem. The only difference is that most hotlinking problems have to do with image files, while this case has to do with zip and rar files.

Most of the solutions presented here can be modified to work most of the time -- as long as the computer doing the downloading sends a referrer header with its requests. Some don't. Many don't. The majority do, making this approach somewhat effective, because those who are blocked will complain to the hotlinking site's owner, and maybe he'll get tired of it and remove the link... Maybe.

Again, I recommend a cookies-and-script-based solution if you are serious about controlling downloads without relying on the inherently-unreliable HTTP_REFERER header.

Bottom line: If you are losing money because of this hotlinking, then hire soemone to write you some code (JavaScript on the client side or PHP on the server-side) to set a cookie on the pages of your site allowed to link to these files for downloading, and to write a script that will deliver these files (stored in a protected directory) to users only if they provide a valid cookie with their request.

The cookie should be complex -- moderately-encrypted, and should change per-user per-IP amd per-session. It should expire in accordance with the 'expires' header on the page that sets it -- Both the cookie and page should expire after three to five minutes to prevent problems with users mailing the cookies to each other if they are using the same network.

Jim

ok thanks for all the feedback on this guys.
ill pass it on and see what people can brew from this...