PHP fake referer Use referer to prevent image hotlinking

# Only allow access from don.com, the image may be placed on the page of the don.com website
setenvifnocase referer "^http://www.don.com/" local_ref
# Access directly through the address
setenvif referer "^$" local_ref

Then, stipulate that only marked access is allowed:

order allow,deny
allow from env=local_ref

or

 order deny ,allow
 deny from all
 allow from env=local_ref

Don’t use referrer places

Do not use referrer for authentication or other very important checks, because referrer is very easy to be changed on the client side, whether it is through the firefox extension introduced above, or privoxy, or even libcurl call, so the referrer data is very Not credible. If you want to restrict users from accessing a certain entrance page, instead of using referer, it is better to use session, write the session on the entrance page, and then check on other pages. If the user has not visited the entrance page, then the corresponding session does not exist. , see discussion here. But as mentioned above, don’t put too much faith in the “verification” results of this method. Personally, I feel that in addition to being used to prevent hotlinking, the most common use of referrers is access statistics, such as statistics on which links users access from, etc.

The http-referer variable has become increasingly unreliable and can be forged. Here's how to fake it: php (provided curl is installed):

$ch = curl_init();
curl_setopt ($ch, curlopt_url, "http://www.d.cn/xxx.asp");
curl_setopt ($ch, curlopt_referer, "http:/ /www.d.cn/");
curl_exec ($ch);
curl_close ($ch);

php (use sock without curl)

$server = 'www.dc9.cn';
$host = 'www.dc9.cn';
$target = '/xxx.asp';
$referer = 'http://www .d.cn/'; // referer
$port = 80;
$fp = fsockopen($server, $port, $errno, $errstr, 30);
if (!$fp)
{
echo "$ errstr ($errno)n";
}
else
{
$out = "get $target http/1.1rn";
$out .= "host: $hostrn";
$out . = "cookie: aspsessionidsqtbqsda=dfcapklbbficdafmhnkigkegrn";
$out .= "referer: $refererrn";
$out .= "connection: closernrn";
fwrite($fp, $out);
while (!feof($fp ))
{
echo fgets($fp, 128);
}
fclose($fp);
}
javascript
xmlhttp.setrequestheader("referer", "http://url");// Haha~ Fake ~

js is not supported^_^

The principle is that sock constructs the http header to send data. Other languages ​​such as perl can also be used. Currently, the simplest way to defend against forged referers is to use a verification code (session). Nowadays, there are some commercial companies that can prevent hotlinking software, such as uudog, linkgate, virtualwall, etc., all of which are developed and applied to dll on iis. Some use cookie verification and thread control, and some can randomly generate file names and then perform url rewriting. Some methods can indeed achieve good results.