Restrict Direct Access to .swf Via URL

Hi Bhaskar,

You can do something similar to this...

$realSWFPath = '/some/path/location/for/flash.swf';
$cachePath = '/some/cache/folder/';
$newFileName = md5(microtime()).'.swf';
copy($realSWFPath, $cachePath.$newFileName);

All you would have to do now is use the new path and new file name inside the embed object. Please be careful to use absolute paths for the $realSWFPath and $cachePath and use a relative path inside the embed.

I haven't developed any pages that run on Windows until now, so I don't know how IIS handles pathing but I will give you an example with Linux pathing and you can adapt it.

Lets assume your website is hosted in "/var/www/site.com" and the .swf file is located inside a folder called "secret", and it is called "file.swf". I am also going to assume that the cache folder is called "cache".

The script would change like so:

$realSWFPath = '/var/www/site.com/secret/file.swf';
$cachePath = '/var/www/site.com/cache/';
$newFileName = md5(microtime()).'.swf';
copy($realSWFPath, $cachePath.$newFileName);
$embedPath = 'cache/'.$newFileName;

Hope it helps and you can adapt it to your Windows pathing.

Hi Bhaskar,

Because when you used $cachePath = $_SERVER['DOCUMENT_ROOT']."/cache/"; you obtained an actual file system path to that folder, and the other one is just a web address. When dealing with paths to your files you should always use file system paths like that one.

You can also use the DIR constant which is always pointing to the folder in which your script is running.

Hi Bhaskar,

Normally if the file is in your website's path it is accessible through direct linking. One thing you can try and do is generate a random name for the file each time the page is loaded, place it in a cache folder and keep it there for like 1 hour.

This way if someone comes to your page they get to see the .swf with a strange name, which most of the users won't even check, and be happy. After an hour the file will be gone and if they refresh the page a new name will be created and so on.

Keep the original file somewhere in your website's path, don't link against it, just copy from it all the time to the new files. Depending on the number of visits you have, you might also have a lot of the same file generated, but the hourly script will clean that up.

Another option would be, and this one isn't tested yet, to link instead to a .swf file to a .php file in your website's path, that .php file would first check the HTTP_REFERER to see if it comes from your own domain, and if it does, issue a header function with the .swf mimetype and echo the contents of the actual .swf file.

The script I am talking about would be similar to the script below...

if (!preg_match('/my_domain/', $_SERVER['HTTP_REFERER'])) {
    // Direct visitors will be redirected some/place/else
    header('Location:/some/place/else');
}

$realSWFPath = '/some/path/location/for/flash.swf';

header('Content-Type: application/x-shockwave-flash');
header('Expires: 0');
header('Cache-Control: must-revalidate');
header('Pragma: public');
readfile($realSWFPath);
exit;

It worked perfectly when i took $cachePath = $_SERVER['DOCUMENT_ROOT']."/cache/"; but it was not working when i took path like $cachePath= "http://www.site.com/cache";

Any Idea????

Thank you so much for your help Robert....!!!!