PHP Classes
elePHPant
Icontem

Secure Media: Protect Flash files from hotlinking by other sites

Recommend this page to a friend!
Stumble It! Stumble It! Bookmark in del.icio.us Bookmark in del.icio.us
  Info   View files View files (3)   DownloadInstall with Composer Download .zip   Reputation   Support forum (1)   Blog    
Last Updated Ratings Unique User Downloads Download Rankings  
2004-10-14 (10 years ago) RSS 2.0 feedStarStarStarStar 60%Total: 2,086 All time: 1,787 This week: 1,360Up
Version License Categories  
securemedia 1.0GNU General Publi...Files and Folders, User Management, S..., F...
Description Author  

The Apache mod_rewrite is often used to protect images and other types of media files from hotlinking from other sites, that make them appear in their pages although they are served from the original sites.

However, mod_rewrite can be used to protect the service of Flash files against hotlinking because these are embedded in pages using the <object> tag and in this case the browsers do not send a referer when requesting the Flash file from the origin server.

This class provides an alternative solution that works by generating a access key that is used to compose the URL used in the object tag but it is only valid only during a limited period of time.

The class takes as options the location of server directory where is the file to be protected, a password and the limit of time during which the access key is valid.

When the class validates the access key, it serves the real Flash file if the key is valid, or serves an error Flash file otherwise.

Innovation Award  
PHP Programming Innovation award nominee
October 2004
Number 4


Prize: One copy of the Maguma Workbench
The unauthorized use of content of one site in another site is an activity that concerns many site owners.

Hotlinking is one type of unauthorized content use that consists in making pages, images and animations appear in one site despite they are being served by the site that really is publishing that type of content.

Hotlinking is problematic not only because it lets unauthorized sites obtain illicit merit for showing unauthorized content, but also because it may cause financial losses by making the owner site pay for the bandwidth to serve content for other sites.

There are solutions to prevent simple hotlinking by rejecting accesses made from unauthorized referring sites. However, these solutions do not work well for blocking hotlinking of Flash animation objects.

This class provides an alternative solution that works well enough for Flash animations embedded in Web pages dynamically generated with PHP.

Manuel Lemos
Picture of Florian Metzger
Name: Florian Metzger <contact>
Classes: 1 package by
Country: Germany Germany
Age: 36
All time rank: 134587 in Germany Germany
Week rank: 1479 Down75 in Germany Germany Up
Innovation award
Innovation award
Nominee: 1x

Details provided by the author  
1. Introduction

The Apache url rewriting utility is an easy and effective tool to secure image files against bandwith theft. Unfortunately this method doesn't work with flash swf files as the <object> tag doesn't submit a referer when requesting the swf file from the server. 

The solution to this problem is the Neodelight Secure Media System - it allows you to protect your swf files or any other filetype from bandwith thievery and hotlinks. 

This software is released under the GPL General Public License. It is free to use and open source. 

Anybody is invited to further improve the system, so please email me (fm@neodelight.com) if you have any ideas, bug reports, suggestions or questions. 


--------------------------------------------------------------------------------

2. Implementation
Add these lines to your httpd.conf to redirect any requests for secured swf files to the neodelight secure media script: 

<IfModule mod_rewrite.c>
  RewriteEngine on
  ^/(.*)\.SM([a-fA-F0-9]{32})\.swf$ /securemedia.php?file=$1&key=$2
</IfModule> 

Move the swf file you want to protect to a directory not accessible by a browser, default is "/var/www/securemedia/".

The swf files you want to protect have to be in the same subdirectory of the secured dir as they were on your website. 

Example: If you want to protect the file http://www.myserver.com/mydir/flash.swf then you'll have to put it to /var/www/securemedia/mydir/flash.swf

Now put the files CSecureMedia.php and securemedia.php into your webservers root directory, for example http://www.myserver.com/securemedia.php 

You can now access the secured file by its secured url: 

http://www.yourserver.com/path/file.SM012345678900123456789012345678901.swf  
You'll have to replace "01234567890123456789012345678901" with the md5() of your keystring together with the current date in the format "YYYYMMDD". Use the php command md5('yourpassword'.date("Ymd")) for that purpose. 

<!-- Example HTML/PHP code displaying a protected swf file-->

<?php
// example: you have a file called "myfile.swf"
  $filename = 'myfile'.'.SM'.md5('yourpassword'.date("Ymd")).'.swf';
?>

<OBJECT WIDTH="550" HEIGHT="400" >
  <PARAM NAME=movie VALUE="<?php echo $filename; ?>">
  <EMBED src="<?php echo $filename; ?>" WIDTH="550" HEIGHT="400" TYPE="application/x-shockwave-flash"></EMBED>
</OBJECT>  

The script "securemedia.php" in the webserver root directory will handle the request and check if the keystring is valid and deliver the file if so, otherwise it will deliver the file "denied.swf" from the $secureDir directory to forward the user to your homepage. 

To create a "denied.swf" file that forwards to your website, create a blank Flash file and enter the following code into the first frame:

getURL('http://www.yourserver.com/','_top');  

You can also download the FLA file here: http://www.neodelight.com/personal/flo/securemedia/denied.fla

3. ToDo

The described method might also work to protect files other than swf if adapted accordingly. If you gained any experiences with that, please let me (fm@neodelight.com) know. 

The System was not tested yet with Flash applications that load other swf files at runtime 

You canīt pass parameters to the swf file at the moment. The url rewrite string would need some changes for that. 

Anybody is invited to further improve the system, so please email me (fm@neodelight.com) if you have any ideas, bug reports, suggestions or questions. 

4. Latest Version

The latest version can be found at http://www.neodelight.com/personal/flo/securemedia
  Files folder image Files  
File Role Description
Plain text file CSecureMedia.php Class the main class
Accessible without login Plain text file README Doc. documentation
Accessible without login Plain text file securemedia.php Example sample script

 Version Control Unique User Downloads Download Rankings  
 0%Total:2,086All time:1,787
 This week:0This week:1,360Up
 User Ratings  
 
 All time
Utility:75%StarStarStarStar
Consistency:81%StarStarStarStarStar
Documentation:68%StarStarStarStar
Examples:75%StarStarStarStar
Tests:-
Videos:-
Overall:60%StarStarStarStar
Rank:915