If Windows Media Player (or its embedded plugin) is requesting the file and NOT the browser itself, then you can’t use this method of protection because the HTTP Referer field will always be blank.

If you merely want to offer these files for download-only (so the browser doesn’t pass the request on to WMP, or any other an external application), you can tell the browser to treat this file as an attachment by adjusting the ‘content disposition’ for WMV files on your web server. This will make referer protection work as effectively as it does for images, but it means your viewers will have to download the video files before viewing them.

If that doesn’t meet your requirements, you can take one of several other approaches.

There are third party Apache modules available that attack this problem. I know of two: AHL and ConvertVP. I’ve had limited experience with AHL and it works however it doesn’t scale beyond 1 server. I’ve had no experience with ConvertVP because it only works for Apache 1.3.

The theory behind AHL is quite simple:

All requests for protected video files are denied unless the client’s IP is whitelisted.

The webmaster designates a dummy CSS file to be used as a “permission slip” and when hit, the client’s IP is whitelisted.

The whitelist period is defined by the webmaster (e.g. 30 minutes).

The webmaster includes the CSS file on his page so when the client visits, their browser hits it and their permission slip is granted.

That’s pretty much it.

To stop others from simply hotlinking your CSS file, you can use the same HTTP Referer method of protection you’re using for images.

Also, if one AOL proxy IP is whitelisted, they’re all whitelisted because AOL users rarely go through the same proxy from hit to hit.

There are other approaches to solving this problem but this one is quite simple and effective.

http://www.second.com in sudirectory lrbmx i have a index.html

how redirect my second domain in http://www.primary.com

this is my htaccess
RewriteEngine on
RewriteCond %{HTTP_HOST} second.com$ [NC]
RewriteRule ^(.*)$ http:\\www.primary.com\lrbmx\$1 [R]

and the respond
500 Internal Server Error

Someone else?

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?yourwebsite\.com [NC]
RewriteRule \.(wmv|flv)$ - [F,NC,L]

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?yourwebsite\.com [NC]
RewriteRule \.(wmv|flv)$ - [F,NC,L]

Changing “yourwebsite” above, of course. Also, watch the linebreak… there are 3 lines of code, not 4.

Thank you again…

I decided to test a few lines of my own code, after I wrote the last reply, and I found that I could use this line of code in your .htaccess file:

ErrorDocument 403 http://www.someWebSite.com/HTMLPages/ErrorPages/youHaveAProblemPage_error404.html

where an error 403 page is redirected to a 404 error page of my own creation. I also decided to include a simple Java countdown script from ten to zero within the 404 error page, to give the user a chance to read what the error page meant. When the countdown reaches zero, the user is automatically redirected to my home page. I also decided to place a simple “go there now” button at the bottom of the page, for the impatient users, to get back to the home page too. :)

I will give your code a good review.

Again thank you for your time, since I did not expect any information at all, from anyone. Your solution is outstanding to say the least…

jim k

Instead of giving a 403 FORBIDDEN, you can fake a 404 document. Not only does it look like a 404, it returns the 404 HTTP response code, too. It’s essentially indistinguishable from a truly “not found” document.

Save the following as “fake404.php” in the root level of your website:

<?php
header(”HTTP/1.0 404 Not Found”);
?>
<!DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p>The requested URL /<?php
if ($_SERVER['QUERY_STRING']) :
echo $_SERVER['QUERY_STRING'];
endif;
?> was not found on this server.</p>
<p>Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.</p>
</body></html>

Here’s the htaccess:

# Disable directory indexes
Options -Indexes

# Require images to be linked to or embedded from my site
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?someWebSite\.com [NC]
RewriteRule ^(.*)\.(gif|jpe?g|png)$ /fake404.php?$1.$2 [NC,L]

Watch the linebreaks on the htaccess…

Thank you kind sir…

It works as advertised. That said, I see your code will generate a 403 error, so maybe I need to address this with a different error code message, which in turn generates a 404 error, because I do not have these error pages set up to respond properly.

I really do not wish to let the data miner know he is only a few inches from pay dirt. So if I have a different error message appear, instead of “you do not have permission to access this file,” maybe it should read “Bad request,” or “Document not found.”

Good idea, or bad idea?

As a side note, my own Cocoa data miner application gets sent home. :)

Thank you again

jim k

Thank you for your very quick reply…

I will work on this suggestion tonight and tell you how it went, possibly sometime tomorrow. I have a new website with a new host, and it seems that I also have a new version of cPanel, where many .htaccess commands are initiated from this panel. I notice that this new cPanel places several .htaccess files into folders (directories) I wish to protect, and the automatically links these “sub” .htaccess files back to the main .htaccess, compared to simply writing my own.

That said, I do realize most of this exercise might be very futile, and I appreciate your feedback, and more so, your help.

I will contact you shortly…

Thank you again,

jim k