Protect your flash files from hotlinking - specially for arcade sites!

[Jim_Westergren]

This article is written to those who have tried to find a solution on how to prevent people from using up your bandwidth of flash files.

Almost everybody who are making web sites knows that you can easily display images and even flash files from other sites simply by writing the URL:

<embed src="http://www.yoursite.com/swf/yourflashfile.swf"></embed>

You have perhaps also realised this and tried to hide your URL from being viewed. Maybe you inserted a javascript that made it impossible to right click only to find out that you can easily click on View -> Source in the menubar. Then maybe you made with the help of javascript that the flash file opens in a new window with turned off right click and with no menubar. When you then found out that you can simply click on SHIFT + F10 -> View source you maybe took one step further. You made the flash file open up in an iframe that had the exact size as the flash file but you probably realized that you can simply see the source URL in the code and open up that in the browser and then find the URL of the flash file.

You looked on other solutions and you maybe saw those programs that maybe costed hundreds of dollars that made it possible to encrypt the flash files. You looked at it a while, saw the work of it, your thin wallet and went in apathy about the whole thing and skipped it. “It’s cheaper to pay my webhosting the stolen bandwidth than those programs”, maybe you thought.

Now recently I have found a new solution that is very simple, good, works and is free.

Let’s say you have your flash files in a directory called swf and on your index.html the flash file opens.

Step 1:

Create a file called .htaccess in your swf directory (if windows refuses to change the file locally change it when you have uploaded it with your FTP program.)

Cut and paste the following lines (change “nameofyourdomain”):

Options +FollowSymLinks
RewriteEngine on

RewriteOptions inherit
RewriteCond %{HTTP_REFERER} !^http://([a-z0-9-]+\.)* nameofyourdomain.com/ [NC]
RewriteCond %{HTTP_COOKIE} !(^|(.+;)*)id=valid(;.*|$)
RewriteRule /*$ http://www.nameofyourdomain.com/copy.html [L,R]

It is the last 3 lines that are important here and I will explain them here in simple english:

1. If the request is not coming from your own domain.
2. Or if there is no cookie.
3. Redirect to copy.html

On other guides on the internet you will find the above but without the second last line. Without the second last line it works perfectly in Firefox but in Internet Explorer the flash file will not load on your own site. The solution to this is the cookie.

Step 2:

Insert the following in the HEAD of your index.html (or the file in which you have the flash file):

<SCRIPT LANGUAGE="javascript">
// Calculate the expiration date
var expires = new Date ();
expires.setTime(expires.getTime() + 1 * 1 * 20 * 60);
document.cookie = "id=valid; path=/" + "; expires=" + expires.toGMTString();
</SCRIPT>

This will make a cookie when the visitor comes to the site and if the cookie exist internet explorer will load the flash file. Now if you see the above you will see that the cookie will expire very fast, like in 2 seconds or something. The time is just enough for internet explorer to start to load the flash file and way to short for the stealer to find the URL and try to download it.

If now the stealer goes to your site, copies the URL and writes it in the browser, guess what will happen, he will be directed to copy.html and there you can write a surprise for him! If he makes a link to your flash URL on a local html file, right clicks to “save target as ...”, guess what he will download, the copy.html file with the surprice!

Hotlinking also doesn’t work as there is no cookie and the flash file simply will not load.

This method works both in Internet Explorer and Firefox.

Good luck.

Copyright © 2005 Jim Westergren

 

[kingeric]

Thanks for the tip...but I just went to yer site and I can't play any of your games...I get a blank sceen. You might want to check it out. You might be losing some of your legit players.

 

[Jim_Westergren]

Really!?

That's bad. Maybe you have cookies disabled and run on IE?

You are right, it is risky and I have disabled it for now. Have to modify it so that it works better.

I thought I had such a good solution but, well.

Maybe someone here knows a how to modify it so it works for ALL users?

Thanks.

 

[kingeric]

I'm running the standard configuration for IE which is the same as 90 percent of all IE users. My cookies are enabled.

 

[Jim_Westergren]

I give 20 NP$ to the one that solves this and PMs me the solution. It just has to prevent hotlinking of the flash files and work for all visitors regardless of browser and cookie settings. Prevention of copy is just a bonus.

I will be gone for 7 days so I won't have access to the forum but will pay once I am back.

Thanks.

 

[primacomputer]

Protecting against someone saving the file to their local drive is, by definition, impossible to do and still let them play the flash game. They can simply save the entire page and pull the swf out the the page_files folder. They could also pull the file out of their cache. Someone who wanted to rape your site could simply use something like wget with the --referrer option. The only way to stop people from running flash files from their local drive (or another location) is to add some logic to the flash that will cause it to not run unless certain criteria are met. Copy protection for a flash file. Who woulda though it would come to this.

Preventing hot linking is a bit more functional, but there is nothing to stop someone from wrapping an iframe inside a layer on effectively creating a window from their site through to the game on your site. You need to replace your index.html with some sort of script to even start to deal with that.

I have a site that is constantly under attack by leachers and sometimes just gets bombarded by hits from blogs, forums, etc. I came up with a solution that is pretty complicated but might be something you could adapt for your needs. With my system files are never served directly by the web server. They are served by a script that reads them from another part of the file system and outputs the appropriate HTTP headers and data for each request. It works a lot like your htaccess rules in that it returns different data based on certain things but since it's a script it's dynamic and can change it's behaviour based on a complex set of rules.

The main benefit of this is that you can start with few restrictions and tighten them up as you go. You start by serving the media to anyone, but when you get 50 deep link from the same host in one hour you can simply stop serving the media to clients being referred by that host. You don't have to worry about making a set of rules that work for every user+browser+network combination because the rules only kick in when there is anomalous activity.

 

[Oblivion.]

This is something I've been playing around with for the last few days, as part of a new site I'm making. I thought I'd got it the other day, until I went to use my site in IE and it just gave me the wrong file . I'll donate 20NP$ to anyone that can make a fully working solution.

*EDIT*

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://arcaderival.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://arcaderival.com$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.arcaderival.com/.*$      [NC]
RewriteCond %{HTTP_REFERER} !^http://www.arcaderival.com$      [NC]
RewriteRule .*\.(jpg|jpeg|gif|png|bmp|swf|dcr)$ http://www.arcaderival.com/ar_120_600.swf [R,NC]

That seems to be working for me .

 

[primacomputer]

Well if you're using it on your site now then it doesn't work because just embedded a link to sonic on your server in a web page on my server and it played fine.

 

[Oblivion.]

Well if you're using it on your site now then it doesn't work because just embedded a link to sonic on your server in a web page on my server and it played fine.

Please can you tell me the URL to the file you embeded...

 

[primacomputer]

The URL that has embedded file is this:
http://ptdt.com/lib/arcaderival_embed.asp

It appears to be serving up different content without the correct referrer now. The main problem seems to be with the browser cache. If you have already downloaded the swf file then the browser will not try to download it again and it will play fine. This means all I'd need to do is create a “loading” page that has a tiny iframe of your page with the swf. Once it is loaded into cache I can display my page with the file embedded from your server and it will run.

Try it. Start up a fresh browser session, clear your cache, and visit my URL. You get served the alternative flash file. Then visit your site (http://arcaderival.com/index.php?act=play&id=219) let the game load. Then go back to the URL on my site. It will run fine.

Also, for an example of how you can clip any section of another site and display it in your own have a look at this:
http://ptdt.com/lib/arcaderival_frame.asp

 

[Oblivion.]

Damn, that's.... not good I've got a feelnig there wouldn't be any easy way to stop someone from doing that, thanks for making those examples to show me what you meant though .

 

[primacomputer]

It's not the end of the world. You can stop this by making restrictions based on the referrers to the page in which you have embedded the flash file. You want to leave this as unrestricted as possible so that people can bookmark the page, visit it from search engines, etc. If someone frames this you will see a huge number of referrers from their site. Just watch for this and deal with it on a case by case basis.

 

[Oblivion.]

It's not the end of the world. You can stop this by making restrictions based on the referrers to the page in which you have embedded the flash file. You want to leave this as unrestricted as possible so that people can bookmark the page, visit it from search engines, etc. If someone frames this you will see a huge number of referrers from their site. Just watch for this and deal with it on a case by case basis.

I've done that previously with a few sites :cy:

 

[primacomputer]

Perhaps return a page that redirects to the page they are framing, with a _top which will remove their site and take the user to the page on your site the other guy is trying to leach. A great way to get unscrupulous competitors to send you free traffic.

 

[Oblivion.]

That's a good idea! When I next see someone leeching, I'll do that for a few days :D

 

[shadow_boi]

who tried it already? i want to test it