As an ordinary Internet users generally do not need to know they do not care about what is hotlinking, but if you are a website developer or maintainer, you have to pay attention to the problem of hotlinking. If you just finished developing a website with no security chain file download function, hang up internet, and then upload a few very popular nowadays software or download movies and published in the website address, where all your friends are on MSN to experience look at your masterpiece. Before long you will find surprisingly slow speeds, and even the server hosting center staff will enthusiastically call and tell you a lot of site traffic, site popularity is estimated up to ask you is not the time to consider adding money to hire more bandwidth, wide but the price is more expensive network cable. In this time of celebration quickly open Google Analytics to see how many people come to your site it, if visitors find only a dozen people a day, I regret to inform you: your website resources unfortunately been the hotlinking. And even worse is that when you put files and movies on the site all deleted light, the site still has not changed much faster, from the access log of the web server's'll find crazy access request is over the Bay from all directions, the web server in order to meet these visitors and no time to deal with the normal page, this situation may be continued for several weeks.
Web site resources hotlinking is simply someone not from your website by downloading resources, hotlinking several possibilities:
1, in a very busy popular sites, forums, community pages in direct reference to (use markers) pictures on your website, mp3 or directly embedded on other pages in your site (or use flash media player plug-in) in.
2, in a very busy popular sites, forums, communities provide a download address of your resources.
3, the resources of your website might be some download software included in the "resource candidate list", when others download the same file download tool, download the software will automatically find the door and download from your server.
Since hotlinking consequences so terrible, that there are ways to prevent hotlinking what it simple to complex below summarize some of his methods and common practice before, and simple analysis. But unfortunately, these methods had not even completely eliminate hotlinking security chain and purpose should beReduce the impact arising from hotlinking to some extent, while allowing legitimate users can in a natural way, smoothly from your website resources .
Method 1: Analyzing the reference address
This method is the oldest and most common method. The so-called reference address is determined, the value is determined Referer HTTP header field when the browser requests, this value can be used to obtain properties Request.UrlReferrer asp.net inside. A few examples, when the user clicks on while browsing http://uushare.com/abc.html under normal circumstances on a link to go to http://uushare.com/jacky.mp3 file, the browser makes a request when jacky.mp3 resources will be included with the browser when the page address engraved located (ie http://uushare.com/abc.html), so when your web application is received when downloading jacky.mp3 resource request, first http referer field of value judgment, if it is from your own domain name (uushare.com) over, it can be considered legitimate connection requests, otherwise it returns an error message.
This method is usually used for picture, easy to be with this mp3 html "embedded" into the resources of other websites, using this method can prevent your picture appears directly in someone else's web page (or to prevent the mp3 directly embedded on other websites the flash player inside), but visitors can still easily use the download tool to download, because now download tools generally will automatically use your domain name to construct a reference address, so if you want to further guard against, you can use a correspondence table limit each reference resource address, for example, references jacky.mp3 address is limited to http://uushare.com/abc.htmlid=12345, download this tool are less likely to construct a "correct" a reference to the address.
Method 2: Use the login authentication
This method is common in the forum community. When a visitor requests a resource on the Web site, first determine whether this request (to record the session or logged common form validation in asp.net) by logging verification, if not already logged returns an error message. Using this method can further determine whether the user's right to log enough to achieve with "permission" to download.
But because the state depends on the login session id, but the session id is often stored in the cookie field in the http request to download the tools generally can not get cookie field of the browser, so these resources are often unable to use the download tool to download, to legitimate users with normal to inconvenience (because most users of the system are the download tool is installed, a click on the download link to download the tool will generally be intercepted, making it impossible to use the browser itself to download function). The simplest solution is to this session id into the URL.
Another disadvantage of this approach is that visitors can download anonymous, so this method is generally used for forums and community sites.
Method 3: Use cookie
In fact, the principle of this method with the similar method. It is produced in the "Download" link to a dynamic page in cookie value, and then when processing the resource download request to determine the correct cookie, there are no cookie, if no error message is returned. As for how to generate dynamic values, as long as the reverse determine the legality of the dynamic value can be, for example, the current number of seconds to take the time to remove the hash value (also called a hash value). If the program is asp.net web is more simple and can be easily stored in Session to a string or a number, and then check the Session existence of this string or number when processing the download request. 2 use the same method with the disadvantage of this method.
Method 4: Use POST Download
The client browser requests a resource using HTTP GET method are, in fact, uses the POST method can also return data to the client. So download link can be replaced with a form (Form) and a button (Submit), a name or id file will be downloaded into the form of a hidden text box (Input) years, when the user clicks the submit button, the service program first determine whether a POST request, if the target resource is read and written in response to binary data objects (in the asp.net is respone.BinaryWrite method).
The disadvantage of using this method is also unable to use the download tool, but can not implement HTTP. But better than 2,3 method is to download the tool will not intercept your download action, so it is quite normal user to download files smoothly. This method is more suitable for downloading small files.
Method 5: Use CAPTCHA
Using this method ensures that each download is a "person" for download on your website, instead of downloading tools. Because a lot of how to use the graphics code online, so there will not repeat. The disadvantage of this method is relatively easy for the user to feel normal trouble.
Method 6: Use Dynamic file name
Also known as dynamic key method, when a user clicks on a download link, first calculate a Key in the program ends (using a Key to certain rules generated, it is best not to use a random string such as GUID, and this Key must have a statute of limitations), then Key and record the resource ID or its corresponding file name in a database or Cache, and finally let the page redirects to a new URL address, URL address this new need to be included in the Key. When a browser or download tool initiates a download request to the program detects the presence or absence of Key, if there is data corresponding to the resource is returned.
The advantage of using this method is to download the tool can also be downloaded, and that can resume before Key failure, and can be downloaded via Key control the number of threads.
The disadvantage of using this method (including all of the above methods support download tools) is: when a user downloads any success, your resources will be included in some of the download tool "resource list of candidates", after other people download the same in other places when the file download tool will continue connect to your server, even if you have deleted a file or Key has expired, this will result in consequences class DDos attacks, and then introduce the following two tools which can make download download, can also prevent theft chain approach.
Method 7: tampering of content resources
The resources are generally popular movies, mp3, larger archive, etc. These files are a lot of places you can insert data, such as mp3 have a tag area, rar / zip there is a memo area, just a movie content place, as long as the download process them dynamically to these places to inject some random bytes (a few bytes can be), we can achieve to make a hash value of the entire file (ie, hash value, fingerprint value) changes, let the hash value of the downloaded file from your site different from others, you can download the tool to prevent the initiative to come up. Using this method with the method 6, Anti-theft chains can achieve better results. The disadvantage is that, although the file is modified part is not "see", "hear" it, but to let people know more or less feel uncomfortable. The other is if someone from your site to download files on other sites, so there is still downloading tool cases the initiative to come (though in fact it can not download content).
Method 8: Download package
This method is a method with the truth 7 is the same, but this is not to modify the original file, but coupled with a "shell" in the original document, based on the resources so that the hash value is not the same with others. Using this method can be implemented in the original content of the resource base is not the same effect on tampering method 6, and a little hard, you can even put some of their ads when packaged. The disadvantage is that every time a user had to download the add compression, but now most people know how to unpack, so this shortcoming can sometimes be negligible.