CP Hotlink protection is returning a 302 redirect

[Automile]

I just noticed starting this morning in my error logs that I was getting a lot of requests for files named "/jpg" and "/gif". I went to latest visitors, and saw that the requests for these two files were always preceeded by another site hotlinking to an image on my site.

I have enabled hotlinking protection through the CP, and it has been working for a long time without incident. However, instead of returning the usual 404 to these bandwidth thieves, the server is returning a 302 redirect! I haven't made any changes to htaccess lately, nor anything else for that matter.

Anyone ever heard of this before, and any ideas what can be done to fix it? My error log is getting long! (The jpg and gif files are returning a 404 code.)

I did open a ticket, they said they'd have to have someone else look at it because they didn't know why this was happening.

[jason]

A 302 is a temporary redirect, and that is what is typically creted when you use mod_rewrite (as you likely are with your hotlink protection setup). Without seeing your .htaccess setup it is hard to comment on exactly what is going on, though I'd suspect that your code is returning an external redirect to something nonexistant to create the 404. As to why things would ahve suddenly change, I can't say.

--Jason

[Automile]

Hi Jason,

As of last week, requests for images from sites other than mine returned a 404. Now the server is returning a 302, and indicating the new location is http:// mysite.com/jpg ! I enabled hotlinking protection through the CP.

When I would go into latest visitors in my CP, I could clearly see outside sites linking to images, and the http code was 404. So, no entries in error log, and no redirects. Now without making any changes to htaccess, it is doing the 302 redirect. Jaguar support says this is the normal way to do it, but it was not that way in the past.

Plus, 302 redirects are very bad with Google right now, and can cause serious problems with your site rankings.

Are there other ways of enabling hotlink protection without using mod_rewrite? Does the CP use mod_rewrite to do this?

Thanks,
Andy

[jason]

Yes, the CP does use mod_rewrite. That is definitely the easiest way to do hotlink protection by far. The only other way I can think to do it right now is to map a script to something like /images and use the PATH_INFO environment variable to determine the requeted image and pass it through to the browser, but this method would be less reliable than mod_rewrite and would probably use more server overhead.

Can you post your .htacces file contents, or at least the parts relavant to hotlink protection? If you don't want to post that information in public, could you PM it to me? I'll take a look and see if I can make any suggestions.

--Jason

[Connie]

I would not worry about the 302 redirects in regard to images. I don't think the SEs are going to see the redirects because they are accessing the images from you site. In my understanding of things the 302s would not apply to a site hot linking your images.

Google claims to have solved the problem in regard to 302 redirects, but the problem as far as I know only was in regard to the link to a site, not an image link.

I'm not throughly convinced but I still do not think the 302 issue ever affected image files.

I agree that a 302 redirect from the server level is not correct. A 302 is a temporary redirect which means the page or image might come back. Most redirects should return a 301 header response.

Unfortunately most host do not understand this an they use a 302 redirect when they should use a 301.

I have never used domain parking but I think that means that one domain name points to another. That should also return a 301 header response rather than a 200 header response.

[Automile]

Just to recap this issue, it was determined that my htacess file somehow, suddenly, without any changes on my part, was coded to do the redirect 302 instead of returning a 403 Forbidden.

I have no idea WHO made this change, I only know it WASN'T ME! I restored htacess from my computer, and all is fine again.

It's not a comforting feeling to see that something's been changed, and knowing that you didn't do it.

Andy

[jason]

It may have been something that was done automatically by a CPanel update or something like that. I'm not sure why that would happen, but I've seen CP do stranger things.

I doubt that anyone from JPC intentionally went into your account and made that change without notifying you.

--Jason

[Spathiphyllum]

It may have been something that was done automatically by a CPanel update or something like that. I'm not sure why that would happen, but I've seen CP do stranger things...

Great. Now I'm paranoid and will have to scan my .config files. If cPanel starts editing stuff on the fly without my requesting of it, then I'd consider that a design flaw.

Could you very briefly list an example or two of a wierd cPanel event? I'd like to know what I've been missing.