Forum Moderators: phranque
I have successfully made my first .htaccess file which works like a charm with one exeption...
It seems Internet Explorer doesn't like it when I protect flash (.swf) files using modrewrite...
Here's my .htaccess file:
RewriteEngine on
RewriteCond %{REQUEST_URI}!^/hotlink_allowed/.+ [NC]
RewriteCond %{HTTP_REFERER}!^http://(www\.¦forum\.)?mysite\.com [NC]
RewriteRule \.(jpg¦gif¦png¦bmp¦mp3¦wav¦pdf¦swf)$ /hotlink_allowed/hotlink.$1 [NC]
It successfully blocks hotlinking from every directory exept /hotlink_allowed/ (from which other sites are supposed to be allowed to hotlink)...
However, when using IE (version 6) it also blocks flash files when I try to access them through my site. This is not the case with Opera or Mozilla though, and that's why I'm puzzled.
Is the problem in my .htacccess file or is it ie that's causing it?
Could it be that ie sends some strange HTTP_REFERER string which my .htaccess file doesn't interpret correctly?
Has anybody got any ideas on how to correct this little problem?
(lot's of questions :) )
Thanks in advance / smuts
.htaccess is not "visible" to a browser, unless the code behaves differently because you test {HTTP_USER_AGENT} and act on it.
It may be that IE does not send a referrer when requesting .swf files. As written, your code requires a non-blank referrer, which means that many visitors behind proxies, firewalls, and internet security software won't be able to see your images, etc. Check your logs on a failed IE request for a .swf file, and find out if it sends a referrer.
You'll need to add a line if you want/need to allow "no referrer" access. This creates a hole in your anti-hotlink protection, but you'll have to decide based on your log files how many visitors you're losing, and whether it is worth it.
To allow blank referrers, and as a test for your IE problem, add this line:
RewriteCond %{HTTP_REFERER} !^$
HTH,
Jim
/ smuts
I'll have to do some serious thinking about this... I'll get back to you.
Thanks for your help.
The Common Log Format and Extended NCSA Log Format both show "-" if the referrer is, in fact, blank.
A WebmasterWorld member posted an exploit report, though, where an e-mail harvester actually sent a "-" character as a referrer in order to bypass blank referrer blocks. I added a "special" rule for that one... :)
Jim
I did think of another way that could work for me.
I'll explain. All of my pages are displayed through index.php. And the variable which tells index.php which page to show is called '$inc'. Is there any way I can check if the variable 'inc' exists and what it's contents is in .htaccess? This way I could block any request that doesnt include the variable inc.
Anybody?
Probably not, since .htaccess runs before php gets activated. Each http request is a separate "session" and has no memory of the previous request (and thus can't share variables with it).
Jim
Well, I'm off now.
Thanks for all your help! I won't have to visit any other support-boards from now on.
