Mod rewrite/hotlinking question

Forum Moderators: phranque

Message Too Old, No Replies

Mod rewrite/hotlinking question

amitrius17

7:45 pm on Nov 19, 2003 (gmt 0)

People are still able to access files protected by .htaccess URL rewrite by posting the file's URL in the address bar, using Save Target As when it is a hyperlink, or by clicking Refresh when they arrive to the Access Denied page.

Can .htaccess protect against those things too? If not, then can you suggest some alternatives?

This is the code I am currently using:

RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule \.(gif¦jpg¦zip¦rar¦mid¦png)$ - [F]

jdMorgan

9:08 pm on Nov 19, 2003 (gmt 0)

amitrius17,

In two of those three cases, the problem is that the referrer will be blank. Your rules specifically allow that, and it's a good idea unless you want lots of complaints from people behind proxies or running internet security software... Not much you can do about those two cases using .htaccess/mod_rewrite. A cookie- or session-based solution will be needed.

However, you can fix the 'reload' problem by disallowing your custom 403 page as a referrer:


RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain\.com [NC[b],OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?mydomain\.com/forbidden\.html$[/b]
RewriteRule \.(gif¦jpg¦zip¦rar¦mid¦png)$ - [F]

Substitute the name of your custom 403 page for 'forbidden\.html' above.

I haven't tested this. If this 'simple' solution does not work, then try putting a 0-second meta-refresh redirect on your custom 403 page to a secondary 403 page, and disallow that secondary 403 page as a referrer instead (This redirect will force an update of the referrer URL in the request.)

Jim