This isn't going to work in either of the two 'obvious' ways.

First, if a user clicks a link on your page, the HTTP request comes from that user's IP address, and not from that of your server.

And second, if you were to change the code to examine the HTTP referrer, you'd also have problems because the HTTP Referer header (note that this is intentionally mis-spelled, because the header name is actually mis-spelled) is an *optional* header and is in fact not sent by many 'media players.' In fact, some internet security suites will remove this header even if the browser tries to send it to your server.

If you wish to protect 'media' files, the most reliable method is to use a script to serve that media content. A typical approach might be:
1) Set a short-lived cookie on the 'authorized media linking page(s)' on your site (the page containing the clickable link to your protected media.)
2) Internally rewrite all client 'media file' requests to that script.
3) In the script, check for the cookie.
4) If the cookie is set, open the local media file, read it in, and output the contents to the client.
5) If the cookie is not set, provide some alternate (or 'blank') content.

Since the media file is now only opened locally as a 'data file' by your media-serving script, you can block *all* HTTP access to that media file.

The cookie value should be constructed to make it at least somewhat difficult to fake - perhaps by encoding or encrypting it, or by using some combination of the requested media filename and date, etc.

If you do use time as a factor, be aware that you'll need to account for 'boundaries' such as the roll-over from 11:59 PM to 12:00 AM, for example.

Also beware of caching issues; The cookie must not expire or become invalid before the cache entry for the HTML page on which it is created, or you'll see reports (or evidence) of intermittent user problems. So the page which sets the cookie needs to be expired (using HTTP Cache-control headers) to force a page reload before the cookie might expire. If the page is reloaded, the cookie will also be renewed, so this prevents the described problem.

Jim

Hi Morgan,
Thanks so much for your explanation - now all makes sense !
I have done (by trials/errors) login script for whole my site, and it's pretty much protected, but since my php is on a basic level, can you give me helping hand with setting up php script that will serve files ? Let me tell you what i did so far:
1. When user is logged on my site he will see the links.
2. in directory tutorials along with swf files I have index.php script
3. When user click on a link, index.php via _get method gets requested file name. (Index.php checks if there is appropriate session, if not - user is sent to homepage)
4. That's where I have problem now. How to allow index.php to have access to file. Whatever I tried I always get error. In other words, how to access movie as a "data" and not as object :( Sorry for bugging you with this, but I'm stuck and I tried google search, but I was always miss led....

Well, PHP is too new for me -- I'm an old PERL guy, so I can't help much with the script. But the script needs to resolve the URL-path to a filepath by adding the server Document_Root value to it, and then check to see if it exists. If not, the script must output a 404-Not Found response header to STD_OUT to infomr the client.

If the file does exist, then the script must open it, read it in, close the file, and then output the file data. It must also send appropriate Content-Type and Content-Length headers, both derived from the file being requested. You may also wish to send an appropriate Cache-Control header, etc.

Note that we're talking about accessing a local file using a server-internal filepath here, so this is an operating system request to read a local file, not an HTTP request. As such, none of the server config files or .htaccess files will have any effect (nor do they need to). The script simply reads the file and sends its contents with some HTTP headers prepended.

Jim

Jim,

I think you should write some book about Apache. Really - your explanations are so simple to understand !
Thank you very much - I know what should I do now.
This is my second contact with apache server, and I never worked in similar project like I'm working on now, and your help is greatly appreciated !
Thanks again.

Ok, since Jim has helped me a lot with his calm and gentle attitude toward one apache beginner I want to elaborate here how I solved issue, and I google it, but I wasn't able to find it, so I'm gonna describe it in details here how to serve media file from htaccess protected directory:

I have directory here: sitename.com/video-tutorials/
under that directory i have following sub-directories:
wordpress/
cpanel/
email/
and few more. In those directories I have .swf files. Those are actually tutorials on how to use those tools/services. I wanted to protect access to those swf files except for members. In order to access main directory "sitename.com/video-tutorials/" I developed usual php login script with sessions id's... in main directory I've used htaccess containing this lines:

<FilesMatch "\.(fla¦psd¦swf)$">
Order Allow,Deny
Deny from all
</FilesMatch> 

What this does? It protect all files in this directory and ALL sub-directories with extensions .fla .psd and .swf from being accessed directly (e.g. by typing sitename.com/video-tutorials/wordpress/wp-users.swf)

I want my members to have access to those files and what I did was:
1) I created in each sub-directory index.php with following:

include 'root.inc.php';
include("$ROOT/modules/authorization.php"); 
$abolute_path = $_SERVER['SCRIPT_FILENAME'];
$wordlist = array("index.php", "index.html");
$path = $abolute_path;
foreach($wordlist as $word)
 $path = str_replace($word, "", $path);
header('content-type: application/x-shockwave-flash');
readfile($path.$_GET['swf']);

This code "serve swf file from server path".
First 2 lines actually are loading authorization file which will check if session exist. If session doesn't exist it will redirect user to homepage where he can login, otherwise it proceeds with code.
Then determines the path of "itself" and stripe off index.php or index.html so it serves files without name and extension (i have enabled php code to be run from html file, so I had to strip off extensions - don't bother with that piece of code too much, just use it)...
2) in main tutorials directory "sitename.com/video-tutorials/" I have index.php where I have links like this:
"wordpress/index.php?swf=index.php?swf=wp-categories.swf"
What this does? It calls index.php file located in wordpress directory and via get it pass filename to be loaded and loads it...

Actually it is more then simple, but I spent 2 days bugging with this... well - not just this - I am running something more, but if I had this piece of tutorial it would have saved me at lest 5 hours of trial/error work :)

I tried to be as clear as possible, but feel free to ask if you are having problems!

In all of this, Jim's comments about returning the correct server headers when stuff does not exist are not some casual add-on but instead are a core part of what needs to happen and how it should work.

Another thing is that files can be protected from being accessed from the web by placing them in a folder that is above the web root. That is, placed in a folder on the server that cannot be directly accessed from the web.

The scripts serving the files are accessing the files as local files inside the server, not via HTTP methods.

Thanks for posting!

Jim