.htaccess http referer blocking mobile access…

  • Asking this here on WP, because not sure if this is a WP-related issue. Also because lot’s of knowledge here, so maybe someone knows what’s up.

    I recently developed a custom theme for a wordpress site, based on my previous static HTML site. The long story, shortened, it’s a membership site with video and image download content structure. You pay to join (through CCBill), and you get the content. Because it’s through WP using a database (rather than just a folder protected by a .htaccess file), a payment integration system is needed. I get s2member plugin, but bottom line, as awesomely well as it works, if you want to protect a recipe for Asian Chicken Delight – perfect. You want to serve a video to a browser or device …sorry, not happening.

    Other solution – CCBill writes the data directly to my MySQL database, with no plugin. However, I don’t possess the programming knowledge to authenticate users, but give them access to protected content based on those credentials, etc.

    Next (and current situation): I keep the s2members plugin, because it’s protecting the posts quite well. The videos are stored in an “unprotected folder”, with the following additions – a blank index.php file in the uploads folder to defeat directory listings. Also, a .htaccess file with the following code:

    IndexIgnore *
Options +FollowSymlinks
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^https://(www\.)?mysite\.com/ [NC]
RewriteCond %{REQUEST_URI} !hotlink\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx|mp4|ogv|webm) [NC]
RewriteRule .*\.(gif|png|jpg|doc|xls|pdf|html|htm|xlsx|docx|mp4|ogv|webm)$ https://mysite.com/join-today/ [NC]

    The above code redirects anyone who tries to access the content folder from outside my site URL to my join page. So far, this has tested well. This allows the videos to play back at full preloading speed, video scrubbing, etc. It makes direct downloads a problem, but the s2members folder works great for that. Download links to member ZIPs etc all go there. So .htaccess protects (I think) my uploads folder, and s2members handles the join/user/authentication credentials with CCBill.

    Problem: The videos will not play back on a device like iPhone/iPad any more. The video player works fine on devices, and the videos DO play back just fine on the iPhone when I remove the .htaccess file above from the uploads folder.

    So: what’s going on with the above .htaccess file in the WP file structure that’s blocking the iPhone from accessing the content? And, is this a good level of security, or can any 14 year old kid on a laptop get around this?

    Help?
    Shawn

Viewing 3 replies - 1 through 3 (of 3 total)
  • Thread Starter shawncbarry

    (@shawncbarry)

    I think it’s just this line:

    RewriteCond %{HTTP_REFERER} !^https://(www\.)?mysite\.com/ [NC]

    Do I need to add something in this line to account for a request coming from a device, like mobile/?mysite or something like that?

    Thread Starter shawncbarry

    (@shawncbarry)

    Okay – update: seems it’s a SAFARI issue (hence, iPhone issue). I thought I’d tested this is Safari on my desktop browser, but I guess I got mixed up.

    So, Safari is having the issue.

    FINESEC

    (@finesec)

    Your problem is that some video players/plugins do not support authentication. To say something more I’d need to know what kind of authentication method you’re using. Is it Basic Authentication or Form Authentication?

    The trick with checking the referer is very old. Nowadays anyone can easily bypass such protection using referer spoofing and download your videos without much hassle.

    If your site requires a secure and smooth authentication (CCBill is supported) you might want to check out those sites:
    demo.sitedefensor.com
    https://www.sitedefensor.com

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘.htaccess http referer blocking mobile access…’ is closed to new replies.