Restricting SWF file visibility

Question

I have a situation where my main SWF file loads many external SWF files. However, those external SWF files are just sitting in the public folder of the web server.

Is it possible to restrict the SWF visibility to only my main SWF file (the one that loads the external SWFs). In the current state, any user who knows where to look can just type in the URL and get to the SWFs, not to mention rogue bots that don't follow robots.txt.

The reason for this is very simple. Users user a username/password to log into the main Flash application and the main Flash application in turn loads the SWF files and ONLY then they are available to the user. Also, depending on who the logged in user is, some SWF files are restricted and not loaded.

Thanks for any help!

Answer 1

It depends how flash is authenticating. Flash needs to authenticate with a server side application with a database. The server side application can then use a database to perform access control on a per-file basis.

All files should be tracked by a table, contains columns such as the local path to the file as well as user_group or perhaps a user_id. The authenticated session should keep track of the user_id after they have logged in with a username and password.

It is common for attack spiders to use robots.txt against you, if you put these file paths in your robots.txt you are better off just zip them up and give them to the attacker.

It is very easy to decompile flash applications and modify them. Do not rely on "client side" security systems, they are very easy to bypass. An attacker can also replay and modify HTTP requests using tamperdata. You need a server to tell the client what files it can access.