Allow only SWF file to access PHP script

Question

is it possible to restrict access to the PHP file only from Flash? Eg. I have example.php and file.swf . File.swf sends request to example.php , which returns a JSON string.

I don't want to allow users to access example.php directly (via browser or whatever).

Any ideas?

Answer 1

I am not quite sure how you send the request from the flashfile, but here is what I would try; Specify a header from the swf-file, which would not be present in a request from a webbrowser, and then check if the header is present in the top of example.php, and end the script execution if not.

Example:

<?php
if( !isset($_SERVER['HTTP_MYSPECIALHEADER']) ){
    die('You cannot access this file directly!');
}
// Do whatever the script should do if the request came from the .swf file.

As I said, I dont know how it works with communication from the swf file, but you could always take a var_dump of the $_SERVER variable to see if there already are any headers you could use to check if the request came from the swf-file.

Edit: How do i know if the request came from flash swf?

Check out this one. As said in that one, I dont think you can be a 100% sure that the request originated from the flash-file, as the user could alwasy manipulate what is sent to the server.

Answer 2

The short answer it is impossible to do.

HOWEVER you can make it harder by signing messages with a private key which you embed in the .swf (the public key is on the server). This creates a unique signature for different messages which you can check the message integrity with. Your message should also include a timestamp so you reject requests more than 15s old to prevent replay attacks.

It is true that people could retrieve the key by decompiling the .swf and then just sign their own messages (This requires alot more effort that just tampering with a header though).