PDA

View Full Version : how to disallow access to swf files if not requested by php...


fantasio
06-12-2005, 08:59 PM
today is question day :)

i just did a website for a customer, that does music videos. the recently did some videos for a fairly famous act and their problem is, that all the fan sites linked directly to the swf files, causing them a LOT of traffic!

no i encrypted the swf and strem the movies via php which makes it fairly difficult to guess the files name and path.

but anyway i would like to make it even more difficult and allow access to the swf files only via php.
means: if flash requests a swf it talkes to a php script that streams the swf file after verifying some values posted from the main site swf (protecting the direct access to said php script).
this works pretty well now i only want to denie access to the swf files directly without the hassle of session ids or username passwords, so that everyone can still view all the files directly from the main site.

is this possible at all?

mmm..pi..3.14..
06-12-2005, 09:57 PM
Are you using apache on the server? There is a trick you can do with .htaccess files on Apache to prevent direct linking to files

fantasio
06-12-2005, 10:04 PM
yes apache !

so, whats the trick ? :)

mmm..pi..3.14..
06-13-2005, 01:30 AM
Ok, well I can't try it myself since I don't have Apache (I'm running IIS 6.0), but from what I see it seems to work ok *crosses fingers*

http://webdesign.templatemonster.com/web/web-programming/php/no-direct-linking.1407.html
http://wsabstract.com/howto/htaccess10.shtml
http://underscorebleach.net/jotsheet/2004/11/stop-image-hotlinking-tutorial-htaccess-apache

Don't know if that would prevent people from using the "Save Target As..." method by writing their own html file with the url to the file but it might. The examples above are using images instead of swf files but I figure you'd know how to change that fairly easy ;)

Eric

fantasio
06-13-2005, 02:18 AM
Aha!

at least it works when you use a link to the file!
but it does not work, when you put the link directly into your browser like:
http://www.mydomain.com/stuff/movies/greatMovie.swf
i wonder how to prevent this then...

Flash Gordon
06-13-2005, 02:28 AM
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourDomian.com/.*$ [NC]
RewriteRule \.(mp3|ogg|mpg|pdf|jpeg|jpg|gif)$ - [F]
Are you talking about that kind of stuff?
At least that is mine and it prevents hotlinking.

fantasio
06-15-2005, 06:56 PM
ok i messed around a little with the mentioned htaccess configs, and have the following problems/observations:

i used

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mydomain.com/.*$ [NC]
RewriteRule .*.(swf|jpg|gif)$ http://www.mydomain.de [R,L]


to prevent any access to the files directly if the request does not come from the site itself. if a user tries to hotlink or access a file directly, he gets directed to the main page.

works like a charm, but not with flash, because it seems depending on the browser / plattform flash runs on sometimes the referer is not being sent.

any idea what to do ?

thanks !

Xeef
06-15-2005, 10:00 PM
put it in a location outside of the WEB
and warp it whit the PHP
so there is no chance to get it whit out PHP

fantasio
06-16-2005, 12:00 PM
well i tried that, but of course it's a little complicated with swf files:
i tried the following script:

this.createEmptyMovieClip("mc",1)
mc.target="the_incredible_flic.swf"
mc.loadMovie("streamer.php","POST")

and in the streamer.php looks like this:

$filename =$_POST["target"];
$path="../../../".$filename;
$mov = file_get_contents ($path);
$filesize = filesize($path);
header("Content-Length: $filesize");
print "$mov";


this works like a charm IF you only request one swf at a time.
when i try to load multiple swfs via the streamer.php it only starts
to load the next one after the first one is loaded completely unlike
if i would load the swfs directly from flash...

any ideas ?

cheers and thanks

Xeef
06-16-2005, 02:17 PM
Hmm

normaly windows alove 2 downloads from the same side at the same time (as fare i know)


P.S
hope you will make a few checks on this :
$path="../../../".$filename;
because it's ****ing dangerous !!!
$filename="/../bla/security.whatever for example

fantasio
06-16-2005, 02:22 PM
of course there will be no ../../ in the final script :)
the php is running on linux and apache 1.3 and it seems it allows only one stream at a time...

Flash Gordon
06-30-2005, 01:59 AM
<off topic a bit>
Do you guys see anything wrong with this:
ErrorDocument 403 /forbidden.html
ErrorDocument 404 /not_found.html
ErrorDocument 500 /internal_server_error.html
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?mysite.com/.*$ [NC]
RewriteRule \.(mp3|ogg|mpg|pdf|jpeg|png|jpg|gif)$ - [F]

The one shown above works with no problems but with this one I can't even access my index page.
Any ideas?