I'm getting ready to open a website to the public next month and it has almost 1,000 original photos, many of a generous size. Something has been gnawing at me for awhile and it's the current methods of blocking hotlinkers.

Cookies

My problem with using cookies, example, someone asked me to come over and fix his computer the other day. They had installed so many anti-virus, anti-popup and other free downloads to stop the problems, but as most here know those free programs are usually filled with more spyware then they remove. Long story short, all these antivirus and other programs can with ease force users to see popup boxes asking if they want a site to allow cookies or even just block cookies altogether and so many users, especially ones who just paid $100 to have their pc's fixed are too scared to answer any questions a popup box might ask, except no. I want my site to be open to all, even those blocking everything including cookies. So using cookies to stop hotlinking is out.

Sessions

If i'm not mistaken, you can pass session variables even if the user has cookies disabled but forcing all users to use sessions can conflict with search engines i've heard. I imagine there are other problems with running sessions throughout your whole site. As for creating a login, that follows the same as above. I don't want the user to have to do anything but navigate my site.

htaccess

Using htaccess to block by referer is a pretty solid idea except for the allowance of blank referers. The idea is that some will slip by but the majority will be blocked. Well here is a little scenario that I can't stop thinking about.

1) Lazy webmaster wants more traffic

2) He finds images on your website

3) He creates direct text links to the images and even writes a little description of the images, Example: "Large Picture of Building" Click the link to see a huge 1600x1200 image of this building. When you are done simply close the window.

4) He uses "_blank" tag to open your pictures on your server in a new window of just your picture, no ads or link to your website, just your picture.

5) This works because if he forces them to open a new page then there will be no referer and the htaccess hotlink blocking gladly accepts no referer.

6) He gives them a sob story on how much it costs him to host these big beautiful images and asks his visitors to click on his affiliate links.

7) All I see is a bunch of blank referers opening my images. I wouldn't even be able to find out who this guy is and even if I did I don't know what I would do about it. I don't even know what something like this would be called. It's not hotlinking exactly but I don't know what else to call it.

Conclusion

I really hope I have overlooked something really simple and the above scenerio can't possibly happen. For now, I would love to hear thoughts on this subject from other webmasters.