Embedding Flash .swf above web root

[eluser]jonnyleeharris[/eluser]
Here's the scenario.

I have a web site that holds user accounts, each with a user group. This is a one group to many users relationship.

Each user group has a field in the table of a flash filename that should be loaded on their page.

Now, the nature of the web site means that the Flash files shouldn't be accessible by the public . ie you need to log in to see them.

So, my solution was to store the .swf files above the webroot, in a folder called "Flash". The controller would then do all the fancy work to determine which swf file should be linked in the view, and load the view.

Code:

$data['embedSRC'] = "../Flash/".$this->redux_auth->get_embedSRC($this->session->userdata('id'));

I then pass this info to the view, which, for the record, doesn't seem to be the problem, as when I try to embed something below the webroot, it works.

Above the webroot, it doesn't.

Any suggestions, solutions or whatever are welcomed.

Thanks a lot.

[eluser]jonnyleeharris[/eluser]
Btw I've tried numerous paths to get to the path above my web root. Not just the one shown. Nothing seems to work. I'm stuck, with a deadline to meet..!

[eluser]louis w[/eluser]
Impossible. Anything clientside (images, swf, etc) must be inside the webroot. Only php (which runs serverside) has access outside of html root.

This would be a major security risk if it could happen.

[eluser]jonnyleeharris[/eluser]
[quote author="louis w" date="1214266655"]Impossible. Anything clientside (images, swf, etc) must be inside the webroot. Only php (which runs serverside) has access outside of html root.

This would be a major security risk if it could happen.[/quote]

Thanks. I had a hunch this may be the case.

Is there a workaround for the scenario I proposed?

[eluser]louis w[/eluser]
Why can't you move your flash directory inside the public html root.

[eluser]jonnyleeharris[/eluser]
[quote author="louis w" date="1214268258"]Why can't you move your flash directory inside the public html root.[/quote]

I can, that's obviously what I will have to do - but to stop the general public from accessing the Flash files by just linking to them (if they know the path) from their own web site. I know this is highly unlikely, and that one would need to log into my system before they even got this path, but it's still something I'd like to cover, if covering it isn't going to take me forever and a day.

Thanks for your replies.

[eluser]marcoss[/eluser]
Actually, you can do that, the easiest way would be to copy the file from it's "secure" location into a temporary public file.

There are many alternatives to do this, each has a different goal: security, speed, portability, etc, which one you choose will vary based on your application needs, I'm just gonna give you a little example to get you started.

Code:

$publicSwf = '/var/www/flash/file.swf';
$privateSwf = '/var/flash/file.swf';
$fileData   = read_file($privateSwf); //read the SWF contents and save it to $privateSwf
write_file($publicSwf, $fileData); //now $publicSwf has the same content as $privateSwf.

// do user stuff

unlink($publicSwf); //once user session is expired, delete the public file.

As i said, this is a very basic example so you can get an idea, the read/write functions belong to the CI File Helper http://ellislab.com/codeigniter/user-gui...elper.html.

[eluser]jonnyleeharris[/eluser]
[quote author="marcoss" date="1214287254"]Actually, you can do that, the easiest way would be to copy the file from it's "secure" location into a temporary public file.

There are many alternatives to do this, each has a different goal: security, speed, portability, etc, which one you choose will vary based on your application needs, I'm just gonna give you a little example to get you started.

Code:

$publicSwf = '/var/www/flash/file.swf';
$privateSwf = '/var/flash/file.swf';
$fileData   = read_file($privateSwf); //read the SWF contents and save it to $privateSwf
write_file($publicSwf, $fileData); //now $publicSwf has the same content as $privateSwf.

// do user stuff

unlink($publicSwf); //once user session is expired, delete the public file.

As i said, this is a very basic example so you can get an idea, the read/write functions belong to the CI File Helper http://ellislab.com/codeigniter/user-gui...elper.html.

[/quote]

Brilliant, thanks. I had that idea in my head but I thought it would be too lengthy - you proved that thought wrong it seems!

[eluser]jonnyleeharris[/eluser]
How can I determine when the user session has expired? I do have a logout function, but what if they just close their browser window?

I just need to know when it's safe to delete the temp flash file (i.e. when the user has loaded the flash file).

[eluser]Unknown[/eluser]
To load flash file which is stored above the web root for security here's an easier way.

call a standalone php file which will access the flash file
do any authorisation
serve the file

Code:

if($valid_user) { // authenticate as required

    $cache=0; // required cache time
    $userFlashMovie='myuserflashmovie.swf';
    $file='/serverabspathtoflashdirectory/'.$userFlashMovie;

    ############################################################
        // SERVE THE FLASH FILE  
                header('Content-type: application/x-shockwave-flash');
                header('Cache-Control: public, max-age='.$cache);
                header('Expires: '. gmdate('D, d M Y H:i:s', time() + $cache) .' GMT');
                header('Content-Length: ' . filesize($file));
                header('Pragma: cache');
                readfile($file);
        ############################################################
}