Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
1.1k views
in Technique[技术] by (71.8m points)

security - Prevent direct access to mp3/wav files while allowing a flash player to access them with .htaccess (or PHP)

How do I prevent direct access/download to mp3/wav files while allowing a flash player to access them with .htaccess (or PHP)? I've been looking for a solution with only partial and non-functioning solutions to show for my efforts.

The solution below seemed like a great fix at first but it also blocks my flash player from accessing the files. Could I only allow access from particular pages?:

< Files ~ ".*..*"><br />
order allow,deny<br />
deny from all<br />
< /Files>

The solution below seemed great at first because it didn't allow people to view the files in the directory but if the user knows the exact URL of the music file, they can download it:

SetHandler application/x-httpd-php<br />
SetHandler application/x-shockwave-flash

Now, I came across this post that forces a user to produce a username and password using htaccess but I dialog box pops up when on the flash player screen. Is there a way for the page the send the login info without the user doing anything?


If this isn't a secure method, can someone suggest a secure and relatively straight-forward method of implementing this restriction feature? URLs and examples would be greatly appreciated

P.S. This is a WordPress site, hence, I'll be using PHP as a programming language to implement any solution.

P.S. Looking to block novices from downloading, NOT hackers/crackers/internet wizards.

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Since PHP is available, use it to protect the files. Don't have them in them in the web root, but somewhere that is accessible to PHP. Then generate a one-time-use URL like:

<?php
  $unique = md5( uniqid() );  // 32 hex characters
?>

Then store that unique value in the session/server/db and have another page validate the unique string prior to streaming the file:

<a href="streamer.php?id=6dd4566eb245627b49f3abb7e4502dd6">Stream Me</a>

Be sure to expire that unique token after the first use (or maybe after a few times if you are feeling generous). It won't stop the die-hards from capturing the HTTP stream anyway, but it should prevent casual linking.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...