Welcome to WebmasterWorld Guest from 3.80.6.254

Forum Moderators: Ocean10000 & phranque

Message Too Old, No Replies

Hotlink Protection for mp3

     
4:16 am on Jan 19, 2004 (gmt 0)

New User

10+ Year Member

joined:Jan 19, 2004
posts:4
votes: 0


The configuration in my .htaccess file is as follows:

RewriteEngine on
RewriteCond %{HTTP_REFERER}!^$
RewriteCond %{HTTP_REFERER}!^http://(www\.)?mysite\.net [NC]
RewriteRule \.(jpg¦jpeg¦gif¦png¦bmp¦mp3¦mov¦wmv¦rm¦ram¦wma)$ - [NC,F]

The main reason of using this is to protect my mp3 files. I tried to left click on one of my links from another referer and as expected I get to a forbidden page. However, if I do right click save target as, the mp3 file is still downloadable. How can I protect right click as well? That is when the person right click from another referer, it will save as an htm file or anything similar...

Please help, thanks.

5:31 am on Jan 19, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


Protection,

Welcome to WebmasterWorld [webmasterworld.com]!

Unless you use passwords and cookies or sessions, you can't really protect your files completely. I think you'll find -- if you look at your raw server logs -- that the right-click-Save As is making a request with a blank referrer. So, to block it, you'd need to disable accesses with blank referrers by removing the first RewriteCond in your code.

However, many Internet Security solutions, NAT proxies used on home networks, ISP caches and proxies, etc., suppress the referrer header in the http request. So, if you block blank referrers, then 25% to 50% of your visitors will think your site is broken, or even worse, intermittently-broken, because they will usually be completely unaware of the action of the caches and proxies they are connecting through.

So, you're going to need to implement cookies or sessions IDs along with some kind of user authentication if you really want to get serious about protection againt determined downloaders.

I'm not happy about it either, but HTTP_REFERER is simply not reliable. :(

There's another band-aid solution, by the way, and that is to disable right-click with JavaScript. However, that makes people mad when they try to use it for Open page in New Window, so they will leave your site thinking it's broken or that you are unfriendly to users. And the people who really want to steal your stuff will simply disable their JavaScript and right-click away. So this fix has more negatives than positives...

In most cases, blocking by referer is not totally useless - it stops casual theft and hotlinking by making it more difficult. The majority of troublemakers will go somewhere else where it is easier to grab what they want. But if you are up against knowledgeable and determined persons, then you need real security, not quick-fixes. So, cookies, sessions, password logins...

Jim

5:43 am on Jan 19, 2004 (gmt 0)

New User

10+ Year Member

joined:Jan 19, 2004
posts:4
votes: 0


Thank you for replying.. it was pretty fast.

will there be a problem with blank referer if I put all my direct download links in my invision board forum (works with cookies)? That is to say, people must log in to my forums to see the links.

To be clear, what I want is that the "right click save target as" works only when it's being done in my forum. Anywhere else, it shouldn't work.

Will there be a problem with blank referer even if people are logged in the forum? or the security softwares will still hide the referer header?

Thanks

11:56 pm on Jan 19, 2004 (gmt 0)

Senior Member

WebmasterWorld Senior Member jdmorgan is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 31, 2002
posts:25430
votes: 0


Protection,

HTTP_REFERER is unreliable, no matter what.

What I propose is that you modify your script(s) to generate dynamic links to the files you wish to protect, and set it up so that the only way to get the correct link is to log in. Change the links every hour or every day, or even for every user login. This will make it impossible for anyone to 'find' the link unless they are logged in. After they are logged in, let them do whatever they want to do with their browser.

You may want to ask questions about modifying your script(s) in the appropriate scripting forums, since this thread has now gone beyond the Apache server scope.

Jim

<added> A little more discussion on hotlink protection and HTTP_REFERER here [webmasterworld.com]. </added>