Mailing List Archive

   tlug.jp -> Mailing List -> tlug archive -> tlug Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] detect fake HTTP referrer


... Better to tell them up front that they need to enable cookies
for your site.

In my case (and I'm sure I'm not alone), I have the browser pop the "accept cookies?" question and decide on a per-site basis. For a site that does not require logins, I generally say no to the popup. If I later find that the cookie is necessary just to d/load a file from the site (which is somewhat non-standard for a website), I then have to go into the options and undo my original decision. That's enough of a pain that unless I really need the file, I generally just leave. Requiring cookies for such a lame reason (file d/load) is likely to cost you customers.

The point of NVH's story is that for legit referrers, the visitor just
downloads the file.  It's like an OEM agreement, I suspect: he lets
"people he likes" rebrand his content (ie, by linking directly to it
from their pages).

I thought the point was that he didn't want anyone else offering the file for d/load but himself (I think the follow-up also clarified that).

Actually, in the U.S. the correct term "obeying copyright law without
checking the license".  If somebody puts up content on a public site
with no access controls, then anybody may download it.  This *does
not* mean that "anybody" may keep anything more than the "ephemeral"
copies that are required to view it.  Let alone redistribute.

What I was referring to has nothing to do with copyright. Suppose I have a public domain image on my page that I dig up from some archive of such. Someone else likes the image and decides to use it on their page as well. That's legal. But instead of copying the file to *his* server, he just puts *my* URL into the <img> tag. Now, when someone visits his page, his server takes the hit for the HTML but *my* server supplies the image. That's my bandwidth and, even though I get a certain amount included in my montlhly allottment, it's not a *free* resource. That's theft. Not of the image -- of the bandwidth.

On every page that contains images, set a cookie with a short expiry
(say 1 hour), and insist on the cookie before you give away an image.

But the cookie is just a string which can be spoofed. Unless you set a unique cookie per visitor, miscreants can still concoct an HTTP request that mimics the fixed-value cookie to access the file. If this miscreant is already spoofing the Referer string, it's no extra trouble to spoof a cookie.

---
Joseph L (Joe) Larabell            Never fight with a dragon
http://larabell.org                     for thou art crunchy
                                  and goest well with cheese.

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links