I have a script in the .htaccess file to prevent hotlinking of images and audio files. The website allows downloading of the mp3 audio file. Using this setup for the past year yielded no problems, until recently. One user could not download any of the audio files. I removed mp3 from the script and user could download the audio. This is the script I used:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mywebsite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif|mp3|pdf)$ mywebsite.com/hotlink.jpe [R,L]
Is there a better way to write this? Why doesn't it work with all users?
Checking the HTTP Referer, whilst not foolproof (since it's not guaranteed to be accurate), is an effective way to hinder hotlinking of your resources. Since the majority of the visitors to the infringing site will have an accurate HTTP Referer, and therefore the hotlink will be impractical.
Another method could be to require a short-lived session-cookie order to request the content (similar to user authentication, but without asking the users to log in). But this could easily inconvenience your real users too. Also, if the implementation of this method is too simple, the infringing site might be able to make the browser acquire the cookie anyway (e.g. play music from your server via hidden iframes).