Page 1 of 1

how to prevent the hotlink

Posted: Fri Jul 16, 2010 5:53 am
by everydayrun
i have created a form,which can look for the alexa ranking.but some people hotlink the looking for results from my site.how to prevent it. thank you.

Re: how to prevent the hotlink

Posted: Fri Jul 16, 2010 7:03 am
by Apollo
On the page with the form, set a session var with a random ID (e.g. uniqid(mt_rand(),true) or something). Include this ID as a hidden form field.

On the result page, check if the session var is set, and if the form data contains an ID, and if they match. If not, redirect back to the form.

Re: how to prevent the hotlink

Posted: Sat Jul 17, 2010 12:11 am
by Bind
It is possible to parse the form source for the random ticket value mentioned above, which also sets the session, then POST through your form with the value required, using cURL with a cookie container for instance.

I recommend a good manual image challenge-response mechanism like captcha/recaptcha for better form bypass/anti-automation security.