Prevent direct access to mp3/wav files while allowing a flash player to access them with .htaccess (or PHP)

Question

How do I prevent direct access/download to mp3/wav files while allowing a flash player to access them with .htaccess (or PHP)? I've been looking for a solution with only partial and non-functioning solutions to show for my efforts.

The solution below seemed like a great fix at first but it also blocks my flash player from accessing the files. Could I only allow access from particular pages?:

< Files ~ ".*\..*"><br />
order allow,deny<br />
deny from all<br />
< /Files>

The solution below seemed great at first because it didn't allow people to view the files in the directory but if the user knows the exact URL of the music file, they can download it:

SetHandler application/x-httpd-php<br />
SetHandler application/x-shockwave-flash

Now, I came across this post that forces a user to produce a username and password using htaccess but I dialog box pops up when on the flash player screen. Is there a way for the page the send the login info without the user doing anything?

---

If this isn't a secure method, can someone suggest a secure and relatively straight-forward method of implementing this restriction feature? URLs and examples would be greatly appreciated

P.S. This is a WordPress site, hence, I'll be using PHP as a programming language to implement any solution.

P.S. Looking to block novices from downloading, NOT hackers/crackers/internet wizards.

Answer 1

Since PHP is available, use it to protect the files. Don't have them in them in the web root, but somewhere that is accessible to PHP. Then generate a one-time-use URL like:

<?php
  $unique = md5( uniqid() );  // 32 hex characters
?>

Then store that unique value in the session/server/db and have another page validate the unique string prior to streaming the file:

<a href="streamer.php?id=6dd4566eb245627b49f3abb7e4502dd6">Stream Me</a>

Be sure to expire that unique token after the first use (or maybe after a few times if you are feeling generous). It won't stop the die-hards from capturing the HTTP stream anyway, but it should prevent casual linking.