If the station is referred to a small such outside station Hotlinking bring the "no effect" flow will bring pressure to the webmaster (traffic is also to the money drop). For the anti-theft chain can be from two aspects to prevent, one is the server, one is the procedure inside judgment. Different servers are judged differently, and IIS needs to install specific anti-theft chain software. Our main discussion today is the implementation of the Anti-Theft chain in the program.
principle Explanation
Online is now more popular is the use of handler to achieve anti-theft chain. Specifically, create a new processing class for a file request (inherited from IHttpHandler) and configure all of the file requests in Web.config to point to that class. Then in the class to determine whether the request of the previous request exists and point to our station domain name, if the existence is not considered hotlinking, return the real file. Otherwise, the error picture is returned.
Let's imagine if another Web site now quotes the image of our station and applied it to an article. Now there is a personal request to the site of the article, the user request is sent to their server, their station of the server returned HTML to allow the browser to parse. When the browser resolves to our picture address, he will ask us to initiate this picture. Because we are programmed to set this request will be forwarded to our specific class to do processing, the program to determine whether the request before the call is empty (obviously it only requested our pictures other no request, so of course there is no previous request), empty then return the error picture. Understand the above process is easy to know why we stand on the page when the picture is correctly displayed, the user shows the request of that page, so there are of course the previous access records. When the browser resolves the picture of our station, it returns correctly. I don't know, do you understand?
Code Implementation
First you create a class that inherits from IHttpHandler, and I'm here called the Forbiddeninvalitedownload class:
Code
Copy CodeThe code is as follows:
public bool IsReusable
{
get {return true;}
}
public void ProcessRequest (HttpContext context)
{
if (null!= context. Request.urlreferrer)
{
Context. Response.Expires = 0;
Context. Response.Clear ();
Context. Response.ContentType = "Image/jpg";
Context. Response.WriteFile (context. Request.PhysicalPath);
Context. Response.End ();
}
Else
{
Context. Response.Expires = 0;
Context. Response.Clear ();
Context. Response.ContentType = "text/html";
Context. Response.Write ("hotlinking");
Context. Response.End ();
}
}
The code is very small, we can see it. is to use the context. Request.urlreferrer this to determine whether the previous request exists, the existence is considered legal, otherwise illegal.
Only this class is not able to forward all the JPG requests, we need to configure the Webconfig and configure them under system.web:
Code
Copy CodeThe code is as follows:
<add verb= "*" path= "*.jpg" type= "Namespace.forbiddeninvalitedownload,namespace"/>
Also mentioned here is that IIS is not going to send requests for JPG files by default, but to get them directly. So we also have to configure in IIS to have all the JPG requests forwarded to our handler, instead of the IIS default direct access. Configuration as shown:
At this point, your site has been able to prevent JPG files from being stolen. Of course, other zip and other files can also be implemented, you can handle a common class, according to the suffix of the request to determine what type to operate. Here is the effect chart:
Is it over?
The above way does not prevent thunder and other download software downloads, in the Thunderbolt inside these addresses can also be downloaded. If another station references one of your. zip file links, you can download it directly. So how do we solve this? My current thinking is to join the session validation.
If the user visited your download page, set session["visited"]= "true" in the load, and then add a session verification in the download, the code is as follows (note that you need to inherit
System.Web.SessionState.IRequiresSessionState to use session):
Code
Copy Code code as follows:
if (null!= context. Request.urlreferrer && context. Session["visited"] = = "true")
{
Context. Response.Expires = 0;
Context. Response.Clear ();
Context. Response.ContentType = "Image/jpg";
Context. Response.WriteFile (context. Request.PhysicalPath);
Context. Response.End ();
}
Else
{
Context. Response.Expires = 0;
Context. Response.Clear ();
Context. Response.ContentType = "Image/jpg";
Context. Response.WriteFile (context. Request.physicalapplicationpath + "images/2.jpg");
Context. Response.End ();
}
So we debug when call Thunder download this picture can be found in the session there is no value, of course, download the error picture.
