Support

Admin Tools

#30991 Hotlinking

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by nicholas on Tuesday, 26 February 2019 01:15 CST

Monday, 25 February 2019 10:20 CST

jestyn
I have a couple of .pdf files on my website which are listed on a page which is only accesable via the Joomla ACL
system.

the item are in the root /images

The problem is, that I can access the .pdf file per link directly without log-in. Thats a security problem, which shouldnt there.

Found a solution by editing the .htaccess file as follows (1st line is allready in this file which was created by admin tools)

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?vrijehof.nl [NC]
RewriteRule \.(pdf)$ - [NC,F,L]

But this is not working i.e. files can still be found with the correct url.

Do you have a solution?

Tuesday, 26 February 2019 01:15 CST

nicholas
This is outside the scope of our support, as it will become evident.I can tell you that you are trying to do is not going to work, ever. Hotlinking protection was a misconception perpetuated by misguided administrators in mid to late 1990s, when the web was in its infancy. Its purpose was to prevent an HTML page hosted on Site B to include media files hosted on Site A, thereby charging Site A's operator with the bandwidth to serve the file. In reality it was a simple filter: "if the Referer header does not match Site A return 403 Access Forbidden". This worked in 1995, it was kinda working in 2005 and it was mostly NOT working in 2015 (since privacy extensions or core features in browsers kill the Referer header anyway).

Besides, what you are trying to do is not hotlinking protection, it's access control. The problem is that you do not want to password protect the documents which is the kind of access control your web server offers you. You want to apply Joomla! ACLs. When you are trying to download a file from the web server using its URL it does not load Joomla. So how could your server know about Joomla! ACLs? Simple. It can't. That's why what you're trying to do won't ever work.

For this reason what you should be looking for is a download manager component such as Phoca Download, DOCman etc. These components don't let you download a file directly with a URL. All downloads have to go through Joomla!, this particular download manager component, therefore through Joomla! ACLs.

This has nothing to do with Admin Tools. It's a different category of software. As a result I will be closing your ticket as out of scope. I hope that I gave you a good hint on what to look for and why :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!