Geek Answers Handbook

How to prevent direct access / download to mp3 / wav files, allowing a flash player to access them using .htaccess (or PHP)

I cleaned Net for several hours, looking for a solution with only partial and non-working solutions to show my efforts.

The solution, shown at first glance, seemed like a big fix, but it also blocked my flash player’s access to files. Can I only allow access from certain pages? :

< Files ~ "...">
order allow,deny
deny from all
< /Files>



The solution shown at first glance seemed great, because it did not allow people to view files in the directory, but if the user knows the exact URL of the music file, he can download it:

SetHandler application/x-httpd-php
SetHandler application/x-shockwave-flash

Now I came across this post , which forces the user to create a username and password using htaccess , but I will open a dialog when the flash player is on the screen. Is there a way for the page to send login information without user intervention?




If this is not a safe method, can anyone suggest a safe and relatively direct way to implement this restriction function? URLs and examples would be greatly appreciated

PS This is a WordPress site, so I will use PHP as a programming language to implement any solution.

PS Looking to block newbies from downloading, NOT Hackers / Crackers / Internetmasters.

thanks

+6
security php flash apache .htaccess
source share
4 answers

Since PHP is available, use it to protect files. Do not use them in the root folder, but somewhere that is available for PHP. Then create a one-time URL, for example:

 <?php $unique = md5( uniqid() ); // 32 hex characters ?>

Then save this unique value in the session / server / db and ask the other page to check the unique line before streaming the file:

 <a href="streamer.php?id=6dd4566eb245627b49f3abb7e4502dd6">Stream Me</a>

Be sure to skip this unique token after your first use (or maybe several times if you feel generous). This will not stop the tricks from capturing an HTTP stream in any way, but this should prevent accidental binding.

+8
source share

As The Rook notes, you cannot have this in both directions. You cannot give or give your users access to your data. No matter how complicated your authentication scheme is, competent users can always get around it because in order for Flash Player to function, they must have credentials. Personally, I believe that the right decision is the realization that you cannot prevent a specific user from saving your content and just letting them. If you insist on making it more complex, which solution is right for you will be determined by which segment of users you want to be effective against and how much work you are ready to implement.

A simple solution is to generate a one-time key every time you serve the watch page, and then serve the content through a PHP script that checks it. Thus, the user, at the very least, needs to load the browse page for the required content and examine its source in order to extract the key, and not just put the URL in the address bar of the browser. However, if your site becomes popular, someone will probably make a script available that will do it automatically. For example, see youtube-dl , a Python script that uploads videos to YouTube.

In your message, you specify a password that protects files using Apache. Flash Player may send HTTP authentication, but I doubt that any existing players support this and modify it to require both sources and experience with ActionScript. Any solution that can withstand trivial attacks such as reading the page source is likely to require a player change.

+3
source share

Someone can always look as if they are launching flash memory and can load your music. TamperData can be used to view all the traffic generated by the browser (including flash), as well as the ability to replay, intercept and modify all requests. The flash is easy to decompile, but it is probably not necessary.

The only thing you can do is raise the bar and prevent a direct link to your content. You can do this using PHP to restrict access to media. Place all media outside the web server root or secure the directory with .htaccess deny from all . Ask the flash application to first send a “download request”, attach the flash application to a temporary one-time token ( cryptographic zero ). This token is then used in the next request to download music from a PHP file. It’s easy to fool, but it’s best done.

0
source share

There is another solution that has been successfully and successfully implemented. I tried loading the song in an iframe. Direct access to the song will be limited in the PHP code.

-one
source share

More articles:


All Articles