colleen_s,

There's nothing inherently wrong with that code, except that by removing the blank-chack, you've effectively excluded *anybody* who accesses the Web from behind a caching proxy -- for example, *all* AOL users.

Access control by referrer is simple, but only partially-effective. For this reason, don't think of it as a 100% solution. You'll need to allow some hotlinking in order to avoid having your site look broken to the caching proxy users... They have no choice about being behind a caching proxy, and you're showing them the "no-hotlinking" image *on your own site*.

However, since the 'success' of displaying a hotlinked image depends on the client browser, the hotlinker has no control -- Sometimes his visitors will see your image, and sometimes they'll get the no-hotlink image. Some of his visitors will report the problem, but it will appear to be intermittent. After a few weeks of 'delaing' with problem reports, he'll likely remove the image anyway -- even though it sometimes works.

Here's a clean-up/speed-up of your code, but it likely won't change your results:

RewriteCond %{HTTP_REFERER} .
RewriteCond %{HTTP_REFERER} !^http://(www\.)?example\.net [NC]
RewriteCond %{HTTP_REFERER} !^http://(www\.)?theexample\.net [NC]
RewriteRule \.(gif¦jpe?g¦png¦bmp)$ http://example.net/hotlinking-allowed/credit_the_source.jpg [R,NC,L]

I suspect your problem is due to your testing procedure. Be sure to flush your browser cache after any change to your access-control code. Also flush it after viewing the image successfully (for example from your own site). Otherwise, your browser will display the copy of the image (original or no-hot linkmage) that it has cached for that image URL. It won't send the request to your server, so your access-control code won't run or be able to affect the image request in any way.

Change all broken pipe "¦" charcaters above to solid pipes before use; posting here modifies the pipe character.

Jim

Hi Jim,

Thanks so much for the quick reply. I put up your code...it works fine.

I suppose my problem is not so much with Apache, it's with Norton Internet Security. I tried out your code on two computers, one is running Norton and the other is running PC-Cillin.

The PC-Cillin one blocked the hotlinked image, but how many people use PC-Cillin over Norton?

Once the firewall that comes with most office computers and pre-installed in most Dell home computers allows people to view hotlinked images, then there is going to have to be a better way of blocking them. I followed a couple of my hotlinked images...no one was complaining that they couldn't see the image. (These had been hotlinked using my "old" .htaccess code, which I'd tested on my old, non-Norton computer...apparently I'd been blocking the images all this time mainly from myself.)

Thanks for helping me...this is the best webmaster forum around (believe me, I looked all over the Net for the past two days).

What 'security' software people run shouldn't concern you. This is a problem for the webmaster doing the hotlinking.

Allowing the blank referrers will admittedly let some visitors to the hotlinking site see your images -- If their browser/security software/ISP blocks referrers or if their ISP uses a caching proxy to improve their 'internal' network performance as AOL does. But again, the visitors to that hotlinking site whose browsers do provide a referrer to your server will have their hotlinked image requests blocked by your code. So the hotlinker will get lots of complaints from his visitors -- and enough people complaining that his site is broken to inspire him to take the link to your image off his site. So the solution, while imperfect, is usually enoguh to get rid of most hotlinkers.

On the other hand, if you block blank referrers, then *your site* looks broken to all AOL users, Earthlink users, Satellite ISP subscribers, users behind corporate caching proxies, etc. Maybe you can do without all these visitors -- I don't know. But I try to avoid things that make my site look broken.

If you need better protection, then you're looking at a cookies-and-script-based solution. Complex compared to a simple .htaccess file, and more processor-intensive. Have your page(s) set a cookie, and then use mod_rewrite to rewrite all image requests to a script that checks for that cookie. If present, the script reads the image file and outputs it to the 'authorized requester.' If not, serve an alternate image or a 403-Forbidden response. An easy enough job for someone familiar with PERL and mod_rewrite, I suppose. I've never done it myself though, because the problem just isn't big enough for me (personally, on my sites) to bother with it.

Jim

I came up with a solution of sorts although it doesn't involve blocking the images (other than using the complete .htaccess code you gave me).

For me, it's less of a problem with bandwidth...even though it's using a lot of mine, it's not endangering my bandwidth limit. It's more a matter of my competitors using my images to draw traffic to their own sites. I suppose if they were more sophisticated, they would download a copy of the image and host it themselves, but they're not...which is also why they wouldn't take my image down even if they had some complaints about it.

What I did was use an ad for my site as the alternative image. It's a nice ad...got "Image hosted by," my logo, branding, name of the site and URL written nicely on it.

If the .htaccess works and redirects to this image, it's a "free ad" for my site with me "paying" only the bandwidth.

If the .htaccess fails and the hotlinked image starts showing up in my site stats, I will go back and rename the original image. It's more work on my part but so what?--I put up my ad in place of the hotlinked image.

What I'm getting, is a whole lot of free advertising for my site.

It's less work than buying adspace on myspace.com and as long as your bandwidth holds out, it's free. (Since it's generally my competitors doing the hotlinking, it's targeted advertising on top of it all).