Slowly making progress here with the anti hotlinking. I'm setting a cookie on the HTML page so that if the person has loaded the page within the past ten hours the video plays. Otherwise they get an anti-hotlinking video. This means I can play hotlinkers a promo.

I have got it working completely with one filetype (eg. wmv) but so far I can't work out how to give a rewrite rule for each different filetype. The below isn't working. The second filetype gets the no-hotlink file even if the cookie has been loaded.



AuthType Basic
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^http://www.mydomain.com/ [NC]
RewriteCond %{HTTP_REFERER} !^http://mydomain.com/ [NC]
RewriteCond %{HTTP_COOKIE} !(^|(.+;)*)id=valid(;.*|$)
RewriteRule .*\.(wmv)$ http://www.mydomain.com/video-anti-hotlink/no-hotlink.wmv [L]
RewriteRule .*\.(f4v)$ http://www.mydomain.com/video-anti-hotlink/no-hotlink.f4v [R,NC]


Obviously I need different filetypes because wmv won't play in FlashPlayer etc. I need a separate redirect for each filetype.

For starters you'll want to allow people who have no referrer to access the files. Some people have privacy software on their computers that strips out referrers.

I'm not getting why a cookie is necessary... If it's not being referred from your domain, you don't want to serve it...

The other issue I see is that you've got referrals from www. and no www... That means you know you have canonical domain issues. Better to just enforce one or the other from the start...

If you have a better way of preventing hotlinking of video files using htaccess then I'd definitely like to hear it :) The cookie ensures that only people who have visited a page that sets the cookie within the last ten hours can view/download the files.

I do have htaccess in the root set so that pages only appear at www.

What percentage of people do you think have privacy software? This is for a mainstream site and the idea is mainly to prevent other sites from hotlinking to the video files.

There was a time when hotlinking was really frowned on. Now there are cnuts like mefeedia leaching Gbs of video files and copying and storing all the text content from sites via RSS.

If you have a better way of preventing hotlinking of video files using htaccess then I'd definitely like to hear it :) The cookie ensures that only people who have visited a page that sets the cookie within the last ten hours can view/download the files.

I do hotlink protection much the same way - only in the VirtualHost file, not in .htaccess (the VirtualHost file is slightly more efficient when possible).

I still don't understand the need for the cookie. So you want people who have been to your site to be able to see the video when the video is hotlinked from other sites? That seems odd to me.


I do have htaccess in the root set so that pages only appear at www.

If you're enforcing a canonical domain, then you don't need the case for without www in your rewrite rules.


What percentage of people do you think have privacy software? This is for a mainstream site and the idea is mainly to prevent other sites from hotlinking to the video files.

Enough that you have to take them into consideration. By using cookies you're also creating problems for the people who browse with cookies turned off.

The code I'm using is based on code that one of the AVSes gave out years ago. htaccess doesn't seem to work for movie files in the way it does to prevent hotlinking of images.

This htaccess goes into the same directory as the video files. The code for the cookie goes into the header of each page.


<SCRIPT LANGUAGE="javascript">
// Calculate the expiration date
var expires = new Date ();
expires.setTime(expires.getTime() + 10 * 60 * 60 * 1000);
document.cookie = "id=valid; path=/" + "; expires=" + expires.toGMTString();
</SCRIPT>

As far as I can gather the way it works is that only people who have visited your pages can access files in the directory. That is the purpose of the cookie.

I don't mind a few people being unable to access videos if it stops hotlinking from other sites.

The other way I'm thinking of doing it is by using a SSI or php include in the file path on the page. Then each week I'll change the video folder name and edit the include file with the new path. Anyone hotlinking will then be served a promo clip saying 'visit the site'.

The code I'm using is based on code that one of the AVSes gave out years ago. htaccess doesn't seem to work for movie files in the way it does to prevent hotlinking of images.

Why?

The only reason I can think of is that the video player may be separate from the browser and not give referring URL information. But in that case it also won't give cookie information so you've blocked those people in not one, but two ways...

I'm not getting why the hotlink rules for images won't work for video as well...

I just tried it and you're right htaccess does seem to block the movie filetypes. I'm sure there is some issue with doing it but I can't remember what.

My memory is foggy, but if I remember right IE uses Windows Media Player even on embedded videos. The thing is the request for the video comes from WMP, not from IE (if you look at the logs the user agent is different). The question is whether WMP passes things like cookies and referrer.

Then you get to the Mac - god knows what will happen there...

And then there are downloaded video files (not embedded). That should actually work better since the browser is doing the download and should give a referrer.

I'm guessing you'll just have to block ones where there's a clear violation and let the others through... So drop the cookie idea. Allow ones with no referrer. And just block ones that give a referrer that's invalid. The question is how effective that will be - you'll have to test things out and let us know...

I'm foggy too. I pulled the code from a disc dating back about six years. I actually think the idea of using SSI or a php include in the file path of the video is a good solution, then just change it and rename the video directory every few weeks with an .htaccess in the old folder, redirecting to a promo for each video filetype.

We've been chatting privately about this (and other stuff), but this point I thought was important enough to bring back into public discussion...
I'm very sceptical about RSS, as it just seems to be an excuse for certain sites to grab your entire content and hotlink to all your files. I'm ending up competing against my own videos on Google. The sites that are lifting my stuff sometimes appear above mine.

If this whole .htaccess thing is just 'cause you're just worried about RSS there's a simple solution... Embed the videos on the page with something like SWFObject... If they don't have SWFObject installed on their site the Javascript won't replace the alternate content with the video. You can even rename the SWFObject function to something unique to your site, so even if they do have SWFObject it won't work.

In other words, embed a promo video on the page and use SWFObject to replace the promo video with the real one. They'll call a Javascript function that doesn't exist for them and will only get your promo videos.

I went private with this because after our conversation in that other thread (which I was enjoying) was brought to an abrupt halt I feel that I don't want to contribute anything in public on this board anymore.

Anyway I want to thank you for the valuable advice you gave. I have been putting it into practice all this afternoon.