How to prevent deep linking to files on my website

Question

I own a website which contain a lot of freeware stuff to download on it. The problem I'm facing is that people from around the world are taking the direct links of the files (for example .zip files) and posting them on their websites and general forums. I am getting a huge amount of bandwidth and that's ok, but the number of pages visited is low. Is there a way or a script that I can add to the links, so that when someone presses on the link from a foreign website, a page from my website opens instead, which then lets him download the file so I can get more visits.

For example, this is a address from my website:

http://sy-stu.org/stu/PublicFiles/StdLibrary/Exam.zip

When anyone presses on it, it will start the downloading process directly.

Answer 1

If you are using PHP, you can have a script that links the user to the download but only if the $_SERVER['HTTP_REFERER'] is from your site. If it is not you redirect to your site.

Answer 2

Don't provide a direct link to the file you are serving. Provide a script that sends the content through the script once you hit the submit button.

Do a web search for sending files through cgi.

Here is a neat link I found online: here

Answer 3

I'm not at all a web expert, but I was thinking about the following pointer -

if you're using asp.net could http handlers or modules configured at the web site level help (lot's of information on those on the web, I looked it up recently for some work, here's one article for example.

The idea is to intercept the request before it reaches the target file and redirect it to the page you wish to show; for example - if someone wishes to browse to the url you've posted ("http://sy-stu.org/stu/PublicFiles/StdLibrary/Exam.zip") intercept this call,use some lookup to find the page you wish to display and redirect the request there;I'm guessing users following a link won't be too annoyed (unless they have done "save target as", which would result them saving some HTML and not ZIP).

However, there's some "hole" in my plan - how do you actually provide a link that works from your own page? I believe you can differentiate between requests coming from your web site and ones coming from others' which you could check on the handler/module by examining the request object.

Answer 4

Your site is hosted by an Apache web server, so you should be able to do the following in your site's httpd.conf (or virtual host block)

RewriteEngine On
RewriteCond   %{HTTP_REFERER}  !^$
RewriteCond   %{HTTP_REFERER}  !^http://www.yourdomain.com/.*$ [NC]
RewriteCond   %{HTTP_REFERER}  !^http://yourdomain.com/.*$     [NC]
RewriteRule   ^/PublicFiles/*$ /page-about-direct-links.html

That is basically saying:

1. Turn the mod_rewrite engine on
2. If the HTTP Referrer is blank...
3. Or doesn't contain my domain name...
4. Or doesn't contain my domain name without wwww...
5. Redirect any requests for anything under /PublicFiles/ to /page-about-direct-links.html

More information on mod_rewrite can be found here: mod_rewrite - Apache HTTP Server

Answer 5

Thanx to all of u guys , That was really very useful thanx to all again Have a nice day

Answer 6

Why not just make the links dynamic and indirect, for example:

on page X: (static)

<a href="Y">SuperNeat Program</a>

on page Y: (dynamically generated)

Click here to download 
<a href="Z.php?timestamp={timestamp}&counter={counter}&hash={hash}">
SuperNeat Program</a>

and replace timestamp w/ the current time in msec since 1970, counter = a counter that you increment once per download, hash = MD5 hash of concatenate(timestamp,counter,secret salt) where secret salt = any favorite code you keep secret.

Then on page Z.php, you just recalculate the hash from the counter and timestamp in the query string, check that it matches the hash in the query string, and that the timestamp is recent (e.g. from the previous 30 minutes or 60 minutes or whatever). If it is, then serve the file in question. If it isn't, throw an error message. This gives someone only a brief time period to direct-link to your file. If you don't even want that, then keep track of the counter values received in the Z.php query string and don't accept them more than once.