Hi,

Say I got a request toward my server for a file, say, "whatever.mp3"

Say it's not a real visitor clicking on a link to surf whatever.mp3.

However, it's some website putting things like:

<sometag src="http://mydomain.com/whatever.mp3">

How do I know that it's not a real visitor? That way I can save bandwith from such hot linking and surf other things, like redirect the visitors to my site?

    You could use a .htaccess rewrite rule (see the Apache HTTPD documentation, mod_rewrite documentation for that).

    You could also use the $_SERVER['HTTP_REFERER'] (note the misspelling); however, that's not always set.

    Additionally, you could turn on the hotlink protection from your control panel if you have it. I know cPanel offers this.

      bpat1434 wrote:

      You could use a .htaccess rewrite rule (see the Apache HTTPD documentation, mod_rewrite documentation for that).

      You could also use the $_SERVER['HTTP_REFERER'] (note the misspelling); however, that's not always set.

      Additionally, you could turn on the hotlink protection from your control panel if you have it. I know cPanel offers this.

      The problem with using http_referer is what about if it's a real visitor is visited from another website?

      I like to avoid .htaccess I want to do this full PhP way. Of course, I can check the extension of the file. If the extension is mp3, for example, it's unlikely people click to get me.

      However, what about frame? There are many frames?

      How in the earth, .htaccess "know" that my file is being hotlinked rather than actual visitors coming?

        The .htaccess http_referer and the php $_SERVER['http_referer'] will yield the same exact results.

        The problem with using http_referer is what about if it's a real visitor is visited from another website?

        That's an issue. What if it is? Well, then you've got to find a way to deal with that. One thing you could do is offer a "Lo-Fi" version of your site which uses no images what-so-ever. Kind of like the vBulletin Lo-Fi version of some sites. Then, once they're there, you start a session. Just keep that session going and always set a header like $_SESSION['HTTP_REFERRER']. Use a weird hashed key or something, or just a simple true/false.

        Then, when a user visits your site, they'll see a "lo fi" version of your site. Any link past that will enable a "Hi fi" version where images are included. On every subsequent page, you'd just update the HTTP_REFERRER with the current URL.

        Alternatively, you could just use a .htaccess in the images folder(s) and only allow your site access to it. Something along the lines of:

        RewriteEngine On
        RewriteCondition %{HTTP_REFERER}% !(www|subdomain1|\.?)mysite\.com(.?)$ [NC]
        RewriteRule ^%1mysite\.com%2 [F]

        Something like that should give direct "lookey loos" a 403 Forbidden page at that link, and your site should be allowed in. That is if you set the HTTP_REFERER header on every page:

        header('REFERER: ' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF']);

        Not saying that exact code will work, but something along those lines.

        You could also do a rewrite rule against the IP(s) of your server if you know they're static. That way, any traffic coming from ip 192.168.1.186 will be allowed, but coming from 192.168.1.245 will not. This way would probably catch more unauthorized people than the one above, but the one above should help cut-down on your bandwidth.

        Oh, and you can add an index.php file that either gives them a 403 forbidden to view the directory contents, or reroutes them to your site. That's a good first step.

        I'd take it one step further and use this type of .htaccess file:

        RewriteEngine On
        RewriteCondition %{HTTP_REFERER}% !^(.*?\.)mysite\.com(.*?)$ [NC,OR]
        RewriteCondition %{REMOTE_ADDR}% !^192.168.1.186$
        RewriteRule ^/$ [F]

        Hope that helps.

          Write a Reply...