Htaccess / Norton question

I’ve managed to add a .htaccess file that manages to keep ~80% of users from seeing hotlinked files. In trying some test posts on some friends via a blog hosted elsewhere I’ve discovered the 20% that view the correct image file instead of the redirect are using Norton security. This is apparently due to whatever Norton does with the HTTP_REFERER lines (I’m no genius with this) from my research.

This is the file I’m using:

Options +FollowSymlinks
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www.)?$ [NC]
RewriteCond %{HTTP_REFERER} !^http://(www.)?
$ [NC]
RewriteRule .*.(gif|jpg|bmp|png|mp3|mpg|avi|mov)$ [R,NC]
Options -Indexes

Is there a way to block the Norton users from viewing the hotlinked images unless of course they are looking directly at the site?

Not easily since HTTP is stateless.

Conceivably you could set a cookie and have the site check for the existence of the cookie.

One can also monitor the requests and attempt to determine if a request is the result of a “session” (eg, visitor going to home page, then gallery page, then picture page)

:cool: -//- One-time [color=#6600CC]$50.00 discount[/color] on [color=#0000CC]DreamHost[/color] plans: Use ATROPOS7

I wasn’t aware of this issue with Norton, and I’m assuming other security software until I set this up the other week. It makes me wonder if the .htaccess hotlinking will be rendered useless when more people are using security / privacy software.

I have known about Norton blocking the referer header for quite awhile. The only reason I have known this is I have a icon on my web site for w3c validator. The validator will not work through the link unless Norton is disabled.

My website

Try deleting this line:

RewriteCond %{HTTP_REFERER} !^$

I think Norton security makes the referrer info blank, which that line allows for.


That seems to have done the trick with those that could see the original pic before. Thank you!