Op 22-feb-2007, om 20:46 heeft Nathan Vack het volgende geschreven:
If people are stealing MP3s, checking referer won't work. It can be trivially spoofed.
Can be, but usually isn't. The good thing about hotlinking is that nobody uses the web with referers disabled. I certainly don't.
You'll need real authentication to stop theft -- either with sessions, or HTTP auth.
That would be best indeed. It's just that direct links to mp3 files never see Rails, so you need to fix it in the web server. Pretty soon you're looking at quite some work if you want to do it right. Some web servers provide an easy switch to prevent hotlinking; it might-- might--be an interesting addition to Mongrel. At Zed's discretion.
I use sessions and prevent hotlinking at server level too--it's just an easy thing to do and has great results. I think there might be a problem with the poster's regexps. This page lists good ones and has a quick test to see of your rules work.
http://altlab.com/htaccess_tutorial.html The example they provide: RewriteEngine On RewriteCond %{HTTP_REFERER} ^http://(.+\.)?myspace\.com/ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(.+\.)?blogspot\.com/ [NC,OR] RewriteCond %{HTTP_REFERER} ^http://(.+\.)?livejournal\.com/ [NC] RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpe [L]
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Mongrel-users mailing list [email protected] http://rubyforge.org/mailman/listinfo/mongrel-users
