Web hotlinking and anti-theft chain measures

Source: Internet
Author: User
Tags session id server hosting

As an ordinary netizen, generally do not need to know or care about what is hotlinking, but if you are the developer or maintainer of the site, you will have to pay attention to the hotlinking problem. If you've just developed a Web site with file-download capabilities that doesn't have an anti-theft chain, hang up the internet, upload a few popular software or movies and post it on the site, and let all your friends on MSN experience your masterpiece. It will not take long to find that the Internet is surprisingly slow, even the server hosting center waiter will be enthusiastic to call to tell you that the site traffic is very large, it is estimated that the site is popular, asked if you should consider adding money to rent more bandwidth but more expensive cable. When it's time to celebrate, turn on Google Analytics to see how many people are visiting your site, and if you find that visitors are only 10 people a day, I'm sorry to tell you that your site resources have been hotlinking by people. And what's worse, when you erase all the files and movies on the site, the site still doesn't get much faster, and from the Web server's access logs, the frantic access requests are coming in from all directions, and the Web server doesn't have time to handle the normal pages in order to greet the visitors. This situation may persist for several weeks at a time. Site resources are hotlinking Simple is that others are not from your site through the download of resources, was hotlinking several possible situations: 1, in the popular website, forum, community pages directly quoted (using < IMG src > Mark) on your site pictures, Or embed the MP3 on your website directly on other pages (using Flash or Media Player plugin). 2, in the popular website, forum, the community to provide your resources. 3, your site resources may be some download software included in the "Resource candidate List", when others use the download tool to download the same file, the download software will automatically find the door and download from your server. Since the consequences of being hotlinking are so horrible, what are the ways to prevent hotlinking? The following simple to complex summary of common and practice some of the methods, and briefly analysis. Unfortunately, these methods can not completely eliminate the hotlinking, and the purpose of the anti-theft chain should be to a certain extent to reduce the impact of the hotlinking, while allowing legitimate users to be able to freely download resources from your site in a natural way.

Method 1: Determine the reference address
This method is the earliest and most common method. The so-called reference address, is to determine the browser request HTTP header referer field value, this value in asp/' target= ' _blank ' class= ' infotextkey ' >asp.net inside can use The Request.urlreferrer property is obtained. For example, under normal circumstances when a user clicks a link to a Http://uushare.com/jacky.mp3 file while browsing http://uushare.com/abc.html, the browser makes a request Jacky.mp3 The resource also comes with the page address (that is, http://uushare.com/abc.html) where the browser is inscribed, so when your website program receives a request to download the Jacky.mp3 resource, it first determines the value of the HTTP referer field. If you are coming from your own domain name (uushare.com), you can think of a legitimate connection request, or you will return an error message.
This method is commonly used for images, mp3 This is easy to use HTML "embed" to other sites of resources, use this method can prevent your image directly in other People's web page (or prevent MP3 directly from other sites embedded in the Flash Player), but visitors using the download tool can be easily downloaded , because now the download tool will usually automatically use your domain name to construct a reference address, so if you want to further prevent, you can use a corresponding table to limit the reference address of each resource, for example, to limit the Jacky.mp3 reference address to http://uushare.com/ abc.html?id=12345, so the download tool is less likely to construct a "correct" reference address.
Method 2: Use login authentication
This approach is common in forums and communities. When a visitor requests a resource on a Web site, it first determines whether the request is logged
Verify (in ASP. Session or form validation to record the login status), and return an error message if not already logged in. This method can also be used to further determine whether the logged on user's permissions are sufficient for the download with "Permissions".
However, because the login state relies on the session ID, and the session ID is often stored in the HTTP request cookie field, the download tool generally does not have access to the browser's cookie field, so these resources are often unable to download using the Download tool, A lot of inconvenience to normal legitimate users (because most of the Internet users have installed a download tool, a click download link is generally blocked by the download tool, resulting in the browser itself can not use the download function). The simple workaround is to place the session ID in the URL.
Another drawback of this approach is that visitors cannot download anonymously, so this method is generally used only for forums and community sites.
Method 3: Use cookies
In fact, this method is similar in principle to Method 2. is a cookie that generates a dynamic value on the page that displays the download link, and then, when processing the resource download request, first determine if there is an incorrect cookie in the cookie, and if not, return an error message. As to how this dynamic value is generated, it is possible to reverse-determine whether the dynamic value is legitimate, such as taking the current time to remove the number of seconds to hash (also known as the hash value). If the Web program is an ASP. NET, it is easier to save a string or number in the session, and then check the session for the existence of the string or number when processing the download request. The disadvantage of using this method is the same as Method 2.
Method 4: Use post to download
The client browser requests resources using the Get method of HTTP, in fact, the Post method can also be used to return data to the client. So you can replace the download link with a form (form) and a button (Submit), put the name or ID of the file to be downloaded into a hidden text box (Input) of the form, and when the user clicks the Submit button, the service program first determines whether the request is a post mode, If yes, read the binary data of the target resource and write to the Response object (in ASP. Respone.binarywrite method). The disadvantage of using this method is also that the download tool cannot be used, and the continuation of the breakpoint is not possible. However, better than the method 2,3, the download tool does not intercept your download action, so the normal user is still relatively smooth download to the file. This method is more suitable for small file downloads.
Method 5: Use a graphical verification code
Use this method to ensure that each download is "People" downloaded from your site, not the download tool. Because many of the online introduction of the use of graphics verification code method, so here is no longer repeated. The disadvantage of this method is that it is easier for normal users to feel trouble.
Method 6: Use dynamic file names
Also called dynamic key method, when the user clicks on a download link, first calculate a key on the terminal (using a certain rule generated key, it is best not to use a random string such as a GUID, and this key must have a certain aging), Then in the database or cache record this key and its corresponding resource ID or file name, finally let the page redirect a new URL address, this new URL address needs to include this key. When the browser or download tool makes a download request, the program detects if the key exists and returns the corresponding resource data if it exists.
The advantage of using this method is that the download tool can also be downloaded, and it can be resumed before the key expires, and the number of threads downloaded can be controlled by key.
The disadvantage of using this method (including all of the methods that support download tools above) is that when any user downloads successfully, your resources will be included in the "Resource candidate list" by some download tools, and the download tool will constantly connect to your server when others download the same file elsewhere. Even if your file has been deleted or the key has expired,
This will result in a class of DDoS attacks, the following two is the download tool can be downloaded, but also to prevent hotlinking methods.
Method 7: Modify the contents of the resource
Generally popular resources are movies, MP3, large compressed package, and so on, these files are a lot of data can be inserted in the place, such as MP3 has a tag area, Rar/zip has a memo area, the content of the movie anywhere, as long as the download process, Dynamically inject some random bytes (a few bytes) into these places, you can change the hash value of the entire file (that is, hash value, fingerprint value), so that the hash of the file downloaded from your website is not the same as others, you can prevent the download tool to actively find the door. Using this method with Method 6, can achieve a better anti-theft chain effect. The disadvantage is that although the files are modified parts will not be "read", "Listen" out, but more or less let people know that uncomfortable. In addition, if others have downloaded files from your site to other sites, there is still a download tool to actively find the door (although it is not actually downloadable content).
Method 8: Package Download
This method is the same as Method 7, but this time not to the original file modification, but on the original file based on the addition of a "shell", so that the resource hash value is different from others. This method can be used to achieve the same effect on the basis of the original content of the resources, and a bit more ruthless, even in the packaging of the time to put some of their own ads. The disadvantage is that users have to compress every download, but at present most people know how to decompress, so this shortcoming can sometimes be ignored.


This article is from the "11876896" blog, please be sure to keep this source http://11886896.blog.51cto.com/11876896/1875198

Web hotlinking and anti-theft chain measures

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.