Protect Flash Files from Being Downloaded

Protect Flash files from being downloaded with this technique. It is not fool-proof, but this takes a completely different approach to stopping the average user trying to get at your SWF files than other tactics.

 

Thanks to Graham Ellis for the awesome time he donated to help me understand some of the finer points of PHP. He is a true PHP genius!

Protecting Flash files: the example

Try your hand at downloading the Flash .swf movie in this example.

.htaccess

Create a file called .htaccess in the root folder on your server if you don't already have one, and insert the following line to it:

AddHandler application/x-httpd-php .swf

Modifying your htaccess file by adding this line will not affect other Flash files on your website.

 

The HTML

You need to add two things to the page that the Flash movie will play on; first, add lines 1-3 to the very top of your page. And second, add lines 9-11 to your page directly above the object tag. Lastly, change the extension of the page to .php so your server will know to parse the language instead of writing it to the page.

<?php session_start(); ?> <html> <head> <title>Flash</title> </head> <body> <?php $_SESSION["flash"] = $_SERVER["HTTP_HOST"]; ?> <object width="550" height="400"> <param name="movie" value="flash.swf"> <embed src="flash.swf" mce_src="flash.swf" width="550" height="400"></embed> </object> </body> </html>

 

The PHP

Here's where the real muscle comes in. While the HTML calls for flash.swf, it won't technically be a Flash file; it'll be a PHP file. Create a new file on your computer called flash.txt, open it up to edit, and insert the following code into it. Upload the file to your server and change the extension from txt to swf. This is the file that your HTML will link to instead of the real Flash movie.

<?php session_start(); if(isset($_SESSION["flash"])) { $referrer = $_SERVER["HTTP_REFERER"]; $referrer = parse_url($referrer); if($referrer["host"] != $_SESSION["flash"]) { echo "Permission denied."; exit(); } } else { echo "Permission denied."; exit(); } unset($_SESSION["flash"]); header("Cache-Control: no-cache, must-revalidate"); header("Expires: Mon, 18 Jan 2010 00:00:00 GMT"); // Don't change. header("Content-type: application/x-shockwave-flash"); readfile("/home/www/private/real_movie.swf"); ?>

The only change you need to make to this file is on line 21. Replace /home/www/private/flash.swf with the full server path to the Flash movie you want to play. If you don't know your full server path, you can find it by creating this PHP file and viewing it in your browser:

<?php echo $_SERVER["DOCUMENT_ROOT"]; ?>

The ideal spot to put the real .swf file would be a place on your server where browsers can't go such as a password protected directory or in a private folder outside of the document root.

How does this protect my Flash files from being downloaded?

The first thing that happens is the HTML page creates a session (sessions are kind of like cookies) and then it opens the PHP script as if it were a genuine Flash file. The session contains the domain of the site, and a quick check is performed to see if the domain requesting the flash file is the same as the domain where the flash file is located. If it doesn't match or the session was never created, the page simply reads, Permission Denied.

Update: 8 August, 2007

A couple of ways to get around this preventative measure have been brought to my attention, so consider this method a way to slow down experienced hackers. Personally, if I ran into this being used on a Flash file that I wanted to download, I would shrug my shoulders and give up.

Update 2: 18 January, 2010

I've been looking into making use of HTTP headers to improve the performance of my site, and I realised a couple of them might be useful for this example. I added a no-cache header and an expire header that's in the past. This might prevent people from being able to download a Flash file from their cache, but I haven't done any testing.

Contact me if you have any ideas or info about this.

Terms and Conditions

By using this information, you consent to the following:

In no event shall I be held liable for any damages whatsoever (including, without limitation, incidental and consequential damages, lost profits, or damages resulting from lost business) resulting from the use or inability to use the material on this website.

 

 

link:http://ryanfait.com/resources/protect-flash-files-from-download/