Restricting Directories

[driveflexfuel]

I have a very large site I am working on that has many directories that I wish to block from public viewing. These directories contain MP3 files that I do not wish to be downloaded. These files still need to be available for use in a flash media player.

Is there a way to block access to all folders named "music". The only thing I could think of is a .htaccess redirect if they try to type it in directly, but I am not the best at .htaccess coding? Any suggestions would be greatly appreciated.

[farscapeone]

Did you know that PHP ignores permissions form the server? That means if you set chmod of any folder to block everything your PHP script will still be able to access it.

[descalzo]

You could do something similar to a HotLink protect in .htaccess

Code:

RewriteCond %{HTTP_REFERER} !^http://yourwebaddy.com/music/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.yourwebaddy.com/music/.*$      [NC]
RewriteRule .*  http://www.yourwebaddy.com/notavailable.html[R,NC]

all requests in dir music not sent from one of your pages get deflected (but can be spoofed).

[slacker3]

Spoofing the HTTP referrer is actually an pretty easy task - it's sent by the client's web browser and can contain anything (or nothing). You should never trust any user input.

[descalzo]

Spoofing the HTTP referrer is actually an pretty easy task - it's sent by the client's web browser and can contain anything (or nothing). You should never trust any user input.

Then what is your suggestion for a solution to his question?

[slacker3]

Then what is your suggestion for a solution to his question?

I'm not familiar with flash, so i can't give any suggestions.

The mp3 files could be stored above document root - or just protect the folder with http basic auth
using an ultra-long password (you don't have to use it anyway), which could be done with cpanel.


But if you can play 'em, you can download 'em. ;)

[misson]

Did you know that PHP ignores permissions form the server? That means if you set chmod of any folder to block everything your PHP script will still be able to access it.

PHP doesn't ignore permissions; the only processes that can ignore permissions are those running as root. What happens is PHP scripts run with your credentials, so the "owner" permissions apply. Since the owner usually has read access (and execute/search for directories), the PHP script can access all your files. Try to access someone else's files with a PHP script and you'll often be denied.

But if you can play 'em, you can download 'em.

This is the crux of the problem. HTTP doesn't differentiate among user agents. Since the songs have to be available to the flash player (which runs client side), the MP3s need to be publicly accessible. If you embed the MP3s in flash movies (which could be done on-the-fly), so only these flash movies are accessible, the MP3s can be extracted from the movies.

You could add some secret information to the flash movie, either a token that the server checks before sending a song or a decryption key (either encrypt the MP3s before storage or encrypt them on-the-fly, if different clients are to have different secret keys), but this info could be extracted from the player. This is probably the best you can hope to do. Throw in Referer checking, because it's slightly simpler to implement than it is to circumvent.

Even if you find a way to keep MP3s from opening in a browser, a user can record incoming packets and extract the MP3 stream. In short, you can make it difficult for visitors to get MP3s directly, but you can't prevent it.