开发者

Restricting SWF file visibility

开发者 https://www.devze.com 2022-12-22 08:13 出处:网络
I have a situation where my main SWF file loads many external SWF files. However, those external SWF files are just sitting in the public folder of the web server.

I have a situation where my main SWF file loads many external SWF files. However, those external SWF files are just sitting in the public folder of the web server.

Is it possible to restrict the SWF visibility to only my main SWF file (the one that loads the external SWFs). In the current state, any user who knows where to look can just type in the URL and get to the SWFs, not to mention rogue bots that don't follow robots.txt.

The reason for this is very simple. Users user a username/password to log into the main Flash application and the main Flash application in turn loads the SWF files and ONLY then they are available to the user. Also, depending on who the logged in user is, some SWF files are restricted and not loaded.

Thanks for any help开发者_开发知识库!


It depends how flash is authenticating. Flash needs to authenticate with a server side application with a database. The server side application can then use a database to perform access control on a per-file basis.

All files should be tracked by a table, contains columns such as the local path to the file as well as user_group or perhaps a user_id. The authenticated session should keep track of the user_id after they have logged in with a username and password.

It is common for attack spiders to use robots.txt against you, if you put these file paths in your robots.txt you are better off just zip them up and give them to the attacker.

It is very easy to decompile flash applications and modify them. Do not rely on "client side" security systems, they are very easy to bypass. An attacker can also replay and modify HTTP requests using tamperdata. You need a server to tell the client what files it can access.


Depending on how secure you want to be, I can think of a couple of options:

  1. A server-side script to control delivery of your sub-swfs (as Pekka has suggested above).

  2. If want to do everything client-side, you could put a conditional test within each sub-swf, so they will only play from inside your main swf:

Something like if(this.parent.toString() != "mainSwf") { stop();} (in pseudocode).

Granted, this isn't foolproof, since someone could easily make their own parent named "mainSwf", but it would deter casual browsing of your sub-swfs. At least until someone decompiles them...

You could make things slightly harder by setting a property within the main swf, such as var myKey:String="362574036704ry3f0y3432607", then use your conditional to test for it: if(this.parent.myKey != "362574036704ry3f0y3432607") { stop();}.

Sill not terribly secure, though. Hope this helps.


EDIT:

There's also a similar question here, which might have useful answers.

0

精彩评论

暂无评论...
验证码 换一张
取 消