1

I want to restrict access to a flash movie so it can only be loaded from a certain url. That url is a page on my server which can only be accessed after you get a pass code. What I don't want is someone who has a pass code scanning the page html source to find the flash movie url and publishing it so everybody can see the file.

Say the page is: http://www.mydomain.com/you_have_a_code.php and the flash movie is: http://www.mydomain.com/movies/movie.swf

I dont' really care if someone steals the flash movie from the cache and publishes it on another website, that's kind of impossible to avoid. What really bothers me is that someone publishes the second link and then people can access the flash movie indiscriminately, on my own server, without having a pass code.

Can that be achieved with the .htaccess file? how?

Pol
  • 13
  • 1
  • 3

1 Answers1

2

Try something like this. It requires mod_rewrite, of course.

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://www\.mydomain\.com [NC]
RewriteRule ^movies/movie.swf$ - [F,L]

Also, try this community wiki: Redirect, Change URLs or Redirect HTTP to HTTPS in Apache - Everything You Ever Wanted to Know About Mod_Rewrite Rules but Were Afraid to Ask

References:

http://httpd.apache.org/docs/current/mod/mod_rewrite.html

http://dmr.ath.cx/notes/rewrite.html

http://www.webmasterworld.com/forum92/3229.htm

http://www.askapache.com/htaccess/mod_rewrite-tips-and-tricks.html

Community
  • 1
Eduardo Ivanec
  • 14,531
  • 1
  • 35
  • 42
  • 3
    You should be aware that the HTTP referrer can be arbitrarily forged and some corporate proxies filter it out anyway. – joschi Apr 28 '11 at 17:27
  • This will break if the user's browser doesn't send referrer headers, though. – Andrew Lambert Apr 28 '11 at 17:28
  • True that. Fixed with the extra RewriteCond, I think. – Eduardo Ivanec Apr 28 '11 at 17:30
  • The removal of headers still breaks this, of course. The only way I can think to avoid breaking those browsers/proxies is to keep a whitelist of IPs that have recently accessed other URLs. That isn't trivial though. – Eduardo Ivanec Apr 28 '11 at 17:33
  • Thks for the quick response! Works fine and, based on the references, I added a redirect to another content. So, if the browser is not sending the referrer (whether because a proxie ripped it off or because the browser is not sending it in the first place) what would hapen then? the user would see the flash movie? or will be redirected? If he sees the actual movie that's fine, because I don't want someone with a valid code not being able to see the movie because of his company proxie or browser configuration. – Pol Apr 28 '11 at 17:58
  • Actually, I think I had forgotten a negation - it should work now, can you please test it? The RewriteCond directives are joined by an implicit AND, so you can now read it like this: *if there is a referer and it's not my domain, perform no rewrite but return a Forbidden and stop processing ([F,L])*. – Eduardo Ivanec Apr 28 '11 at 18:24
  • Works like a charm :) Someone could still share the url of the flash movie and just copy pasting it on the adress bar would give you access to the movie, since there is no referrer then... but at least this solution avoids a direct link from another website. Thx a lot! – Pol Apr 28 '11 at 19:59