differentiate flash request and request came from browser's address bar,,

Question

hi i am trying to prevent download of mp3 songs, so i want to ask you guys, is it possible to differentiate flash request and normal http requests, i have checked for $_SERVER variable but couldnt find any difference,, what should i do? any solutions please,,

Answer 1

No, when you use Flash's getURL or navigateToUrl methods it sends a normal http packet which you will not be able to differentiate it from normal browser requests.

But the SWF file itself can be domain-locked and even though this technique is hackable if they could get to download your SWF file but it is widely used, and at the same time, web masters try to prevent download by controlling Apache and .htaccess directives.

EDIT: Yes, you can send headers directly from your SWF file.

var loader:URLLoader = new URLLoader();
var request:URLRequest = new URLRequest(whatever_url);
request.requestHeaders.push(new URLRequestHeader("pragma", "no-cache"));
request.requestHeaders.push(new URLRequestHeader("Expires", "Thu, 01 Jan 1970 00:00:00 GMT, -1"));
request.requestHeaders.push(new URLRequestHeader("Cache-Control", "no-cache, no-store, must-revalidate"));
loader.load(request);

for example, This code claims to prevent caching of SWF files on user's browser cache directory.

Answer 2

I'll describe one way to achieve what you want, which is not simple but not too complicated as well. Also not sure it's the best but it should work.

First step: instead of having direct link to the mp3 file (e.g. /MySongs/song.mp3) put the files outside the website root folder and have page that get the desired file on the URL and send the content of the file as result with correct content type and everything, e.g. GetSong.php?songname=song3

Once you have this in place you have better control of the files.

Second step: in the flash parameters, change /MySongs/song.mp3 to the above. Make sure it's working.. note this is still not solving anything.

Third step: whenever user is making request to the page containing the flash that grab the song, assign Session variable (or its equivalent in PHP) with the exact Timestamp of the request. Here I'm relying on the fact that the flash will send the request in the same instant.

Final step: in GetSong.php check for the above Session variable, and send the file only if the current time match exactly the timestamp in the Session, maybe allow a millisecond margin.

Smart users who will crack how it works can bypass it, but it should keep away most ordinary people trying to get the song, even if they're using tools to see how the Flash is requesting the song.