Jason Beam
Member
- Messages
- 1,364
- Location
- Sacramento, CA
I suspect there's some type of security setting on those particular boxes that's blocking the images. Norton is always the first suspect, but there could always be others. I'm not familiar enough with the Norton products to walk someone through trying to track down the errant setting.
You're right to suspect individual machines' configurations. That's exactly what's causing it for just a few folks. It's not that their setting is actually doing the blocking of the image, but it is blocking information that is setting off the hotlinking protection. I'm actually very interested to see what the others are seeing just because my profession relies on knowing how varied the world is. So, guinea pigs, I thank you for that
The "Hotlinking Protection" must be rather aggressive to absolutely refuse any non-referer even if the browser has a cookie for that domain. Is the setting a vBulletin setting, by any chance? You might check the vBulletin forums or support or help systems they have available for some information. While I agree the hotlink protection is valuable, it should at the very least be smarter. If a legitimate user is actually logged in (like many of those reporitng it have been) the vBulletin should make an exception for possible hotlinkers. Is there a chance that the setting can be "dialed back" a bit in agressiveness? Like "Protect all images from hotlinkers that don't have the 'logged in' cookie" perhaps? I'd expect a conciencious developer to consider this, but maybe not? Perhaps vBulletin can shed some light on it? It's a little more involved than just "if they have this cookie, give up the images" because cookies can be spoofed, but there are ways to utilize cookies to provide pretty decent protection. Worst case, all images could be redirected to a login prompt, also - but that does use some bandwidth, too. It's a complex feature to program, but absolutely possible and not that tough to do. I would hope vBulletin would be helpful here.
It seems like you should be able to protect your server without alienating your legitimate userbase. At least, that's my opinion as a web developer
Last edited: