More (probably too much more) on the subject... Many browsers, and others (when the user knows a few things) can fake the refferer, so if it is a serious problem for you, then you 'may' not benefit from any of this. I am drawing up a token system to try to handle this, which may be cookie based. In this day, I think most people would be accepting cookies as a way of life. The cookie would essentially have an encryption of various bits of useful information carrying credentials (and a very short ttl). The server presenting the image will read this, qualify it, and show the image. No cookie, no pic. Cookie, credentials, you get it. We may be talking different issues, as mine involves about 2 million pretty pictures. No matter how you look at it, using the referrer to solve this problem is hokie. P -----Original Message----- From: jslive@xxxxxxxxx [mailto:jslive@xxxxxxxxx] Sent: Wednesday, May 11, 2005 7:46 AM To: users@xxxxxxxxxxxxxxxx Subject: Re: [users@httpd] Apache improvement suggestion On 5/11/05, Uri Raz <uri_raz@xxxxxxxxxxxxxx> wrote: > Hello, > > I have a problem with object theft on my web site - bloggers & forum > participants link directly to images on my web site, so they get the > content and I get the traffic bill at the end of the site. The solution > suggested to me by the hosting company (which uses apache) is to use an > '.htaccess' file which would block access based on the referrer field. > > Problem with that solution is that many surfers block the referrer field > using a proxy or a firewall, including some surfers who browse my site and > legitimately expect the graphics to come up. My idea is to have apache > remember which IP requested for a page (a file with an appropriate > extension / MIME type, e.g. HTML) in the last X seconds and allow only > those who did get graphics files. This has major problems (some of which you mention) and, more importantly, is unnecessary. To solve this problem, simply allow through any request with *no* referer field, in addition to requests with the proper referer. Then anyone trying to inline your images will still find that 95% of people visiting their page will find it broken, so they won't get any benefit from the inlining. The fact that 5% of the requests will succeed shouldn't matter. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|