Quote:
Originally Posted by Khun
You can prevent people from directly accessing an image by typing in the URL in their browser, however, some surfers may use a personal firewall or antivirus program that deletes the page referer information sent by the web browser. Hotlink protection is based on this information. So if you choose not to allow blank referers, you will block these surfers.
|
Okay, I see what you're saying. There could be something set up on a webserver where you say, you can only get an image if you are accessing it from a web page on same site. And that would depend on the referer, which as you say correctly, can be circumvented/disabled.
But...
Your security should not depend on page referer at all. The .htaccess file can be configured a lot of different ways, but essentially for a paysite scheme, you want it configured to require basic authentication. And it can reference a .htpasswd file containing valid usernames and passwords. Further, you want your secure site to be served via HTTPS, which is a separate configuration. So after that is done, then access to any resource under your secure directory is going to prompt for username, password from the first access during a web session. It won't matter if you type in a direct URL or go in through the landing page of the members site.
At no point in this authentication process, does the browser or web server care what referer URL is. If the user happened to disable their browser in some strange way that it could not participate in the authentication process, the web server will simply not serve the content.
Also, I think it is a good idea to configure the referer check too, even on your free section. It will prevent people from using your servers to host content delivered from their sites. It won't prevent them from simply stealing the images, but at least you don't end up being their free host.