intermitent redirect problems

Forum Moderators: phranque

Message Too Old, No Replies

intermitent redirect problems

bubster119

7:07 pm on Mar 13, 2009 (gmt 0)

I've got a .htaccess file setup which is supposed to redirect direct access attempts to .flv files to an alt page.

The alt page it redirects to has a flash player file embedded in it which itself loads the individual flv's.

For some reason the code works correctly 90% of the time, however every once in a while it will actually load the flv directly.

Can anyone see anything glaringly wrong in the following code?


Options +MultiViews +FollowSymLinks
# DENY
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} \.flv$ [NC]
RewriteCond %{HTTP_REFERER} !sub.example.com [NC]
RewriteRule (.*) http://sub.example.com/folder/index.php [R=301]

Thanks very much in advance for any help/assistance or pointers

jdMorgan

7:21 pm on Mar 13, 2009 (gmt 0)

Any methods based on HTTP_REFERRER will always be unreliable, because the HTTP_REFERER header is *optional* and will not be sent with every request. It can also be spoofed, suppressed by "internet security" client software, and cannot be sent with requests from caching proxies, because it does not exist in that case.

If you need more media content security, then use a script to serve all media, and have that script check a cookie that will be set only if the client has previously requested an "authorized" referrer page on your own site.

ALternately, you could use a "diversionary tactic" -- Rename your media subdirectory every day (or every hour, etc.) and then update the links on all of your pages by changing a PHP variable that tracks the correct directory name.

Jim

bubster119

8:48 am on Mar 14, 2009 (gmt 0)

Thanks Jim,

Am I correct in thinking that with the below method – as long as the user has previously visited the "authorised referer page" that they will still be able to directly access the .flv file as long as the attempt occurs within that authorised php session?

If you need more media content security, then use a script to serve all media, and have that script check a cookie that will be set only if the client has previously requested an "authorized" referrer page on your own site.

jdMorgan

1:46 pm on Mar 14, 2009 (gmt 0)

Yes. But then again, think about "what is direct access?" Either way, the user is using his browser to download and store the file in the browser cache, from which it can easily be extracted even if you were somehow able to differentiate between a download invoked by an on-page 'include' element and a download invoked by typing in the URL; either way, it's a download. And of course, there are many "media file download assistants" available which grab and request the URLs from on-page media include element links, and you can't tell those from "regular" on-page-include-element-invoked downloads either.

So, although it sounds rude/harsh/simplistic and is not the answer that we want to hear, it's really true: "If you don't want it copied, don't publish it on the Web." All we can do is to *limit* the ease with which content can be ripped; Because of human nature, making it ten percent harder eliminates 90% of the content theft.

On the other hand, I wasn't necessarily referring to a session cookie, but rather to a specific content-control cookie outside of PHP's session framework. You *could* create a cookie with a very short persistence, so that the media content could only be loaded within a few seconds of the cookie-setting page being loaded. The caveat is to make this persistence-time long enough for your legitimate users with the slowest dial-up connections.

Jim

bubster119

9:33 am on Mar 16, 2009 (gmt 0)

Thanks for the clarification Jim, and as always, for taking the time to reply.

Taking on board what you've discussed I think I need to re-consider the scope of what I'm trying to achieve. What you said about making it 10% harder struck me and I think that will be sufficient for my needs.

Thanks again!

Bub