dcsimg
A Flash Developer Resource Site

Page 1 of 2 12 LastLast
Results 1 to 20 of 22

Thread: How to Prevent Browser Caching?

  1. #1
    Senior Member TeroLebe's Avatar
    Join Date
    Mar 2003
    Location
    Lahti, Finland
    Posts
    302

    How to Prevent Browser Caching?

    I've done a game with Flash that uses variables on a PHP-pages (loadVariables)... But I noticed that the Browser has left the php-pages I've used in a Windows Temporary-internet-pages-folder. So it's a major security problem, if user can use these pages over and over again.

    1)
    Is there any way to prevent browser to cahching these php-pages?


    edit:
    And I don't mean just using "mypage.php?junk="+Math.random()
    These sites get cached too, the browser just don't know they are all the same site... You can find all of these pages in Temporary-Internet-Files-Folder.
    Last edited by TeroLebe; 10-10-2004 at 04:10 AM.

  2. #2
    Feeling adventurous? T1ger's Avatar
    Join Date
    Mar 2004
    Posts
    850
    PHP Code:
    header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
    header("Last-Modified: " gmdate("D, d M Y H:i:s") . " GMT");
    header("Cache-Control: no-store, no-cache, must-revalidate");
    header("Cache-Control: post-check=0, pre-check=0"false);
    header("Pragma: no-cache"); 
    Just add this to the top of your page

    Edit: sent you a pm

  3. #3
    Senior Member TeroLebe's Avatar
    Join Date
    Mar 2003
    Location
    Lahti, Finland
    Posts
    302
    Thanks T1ger, It seems to be working.

    I just don't want to show my variables names etc. to the players.

  4. #4
    Run for your life! Phlook's Avatar
    Join Date
    Jul 2003
    Location
    Vancouver, Canada
    Posts
    679
    I wonder, would the script work to prevent caching a .swf file?

  5. #5
    Untitled-2.fla
    Join Date
    Jul 2002
    Posts
    391
    Phlook - this won't stop people who want to from getting their hands on the .swf but it will stop idiots (like me), 56kb users won't like it though - redownloading the .swf everytime they refresh of visit your site
    Code:
    $fp = fopen("mov.swf", "r");
    header("Content-type: application/x-shockwave-flash");
    header("Cache-control: no-cache");
    header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
    fpassthru($fp);

  6. #6
    Senior Member TeroLebe's Avatar
    Join Date
    Mar 2003
    Location
    Lahti, Finland
    Posts
    302
    thanks token3, that was usefull.


    I was kind of looking for that code too.
    with that php-code I can now load different content with same filename even that user even knows it...


  7. #7
    Member
    Join Date
    Nov 2004
    Posts
    50
    Can some one please post a full php example with flash embed code and all, im a newb and i dont know how to write php.

    Also if some one could please explain what to do

    NM i tuck me a few minuts to figure it out i look at your source and saw that the flash opens the file thats smart LOL now i have to figure out how to do my xml files
    Last edited by epox123; 02-03-2005 at 08:44 PM.

  8. #8
    Custom User Title Incrue's Avatar
    Join Date
    Feb 2004
    Posts
    974
    Hi Terolebe
    I want to do the same as you, just wondering how this is working
    Also, i know php has some kind of encriptation, but i dont know for sure how it works; i was just wondering if it wouldn't be better to make this php,( the one who has the variables and that is not cacheable) encriptated, so that even if a thief hack my server he willnot be able to read my variables

  9. #9
    Senior Member TeroLebe's Avatar
    Join Date
    Mar 2003
    Location
    Lahti, Finland
    Posts
    302
    Originally posted by Incrue
    Hi Terolebe
    I want to do the same as you, just wondering how this is working
    Also, i know php has some kind of encriptation, but i dont know for sure how it works; i was just wondering if it wouldn't be better to make this php,( the one who has the variables and that is not cacheable) encriptated, so that even if a thief hack my server he willnot be able to read my variables
    I think SessionCookies are sitebased, so thief cannot set cookies anywhere else than Your site. So he/she had to change whole php-code.

    I think the protection has worked good enough. Only problems are frames and iframes, but it is solved putting more content on my www-site (more than the game and hi-scores), so everybody playing my game would see the gamesite is leeched.

    use token 3's code to make dynamically swf-file.
    Pass a valid key from the mainsite (in the sessioncookies, that it wouldn't be so easy to see).

    key would be something like this md5(sha1("own_keyword1".md5("own_keyword2".round(t ime()/10))))

    so the key will change once in a 10 seconds, but yo still have to check the last 10 seconds key, just to make sure user hasn't used file just before the seconds had changed.

    Change $fp to swf-file, according to key is valid or not.

  10. #10
    Custom User Title Incrue's Avatar
    Join Date
    Feb 2004
    Posts
    974
    Ok, but take it easy, i am a bit confused here...
    I was thinking in flash loading variables from a php file, i dont understand what cookies has to do with it
    Originally posted by TeroLebe
    I think SessionCookies are sitebased, so thief cannot set cookies anywhere else than Your site. So he/she had to change whole php-code.
    Originally posted by Terolebe
    I think the protection has worked good enough. Only problems are frames and iframes, but it is solved putting more content on my www-site (more than the game and hi-scores), so everybody playing my game would see the gamesite is leeched.

    use token 3's code to make dynamically swf-file.
    Pass a valid key from the mainsite (in the sessioncookies, that it wouldn't be so easy to see).

    key would be something like this md5(sha1("own_keyword1".md5("own_keyword2".round(t ime()/10))))

    so the key will change once in a 10 seconds, but yo still have to check the last 10 seconds key, just to make sure user hasn't used file just before the seconds had changed.

    Change $fp to swf-file, according to key is valid or not.
    The goal of this part is to prevent iframe, rigth?So if he tries to iframe the name of the swf it will not work, isnt it?

    Also, back to loading the variables stuff, And if he tries to catch the php file from the server?Not sure if this is possible, becouse php is running in the server and them send to browser just html format, rigth?
    But, IF it is possible, them why not put those variables inside a mysql?
    Last edited by Incrue; 05-25-2005 at 04:04 AM.

  11. #11
    Senior Member TeroLebe's Avatar
    Join Date
    Mar 2003
    Location
    Lahti, Finland
    Posts
    302
    Originally posted by Incrue
    Ok, but take it easy, i am a bit confused here...
    I was thinking in flash loading variables from a php file, i dont understand what cookies has to do with it
    No no no! You got it all wrong. I ment protect flash before it loads. So my code was pure php. So users only see "nohotlinking.swf" if they try to access swf file from another site.


    It is more secure than trying to protect with ActionScript.

  12. #12
    Senior Member TeroLebe's Avatar
    Join Date
    Mar 2003
    Location
    Lahti, Finland
    Posts
    302
    Originally posted by Incrue
    IF it is possible, them why not put those variables inside a mysql?
    It is possible, it actually doesn't differ much from basic php-programming when using mysql, but Flash cannot access directly to the mysql database. You have to use php to print those variables out. Then again, those variables are let seen, if the user knows the right php-page.

    Using different keycode-cookies, that comes valid only when running them from the real site prevents bit unauthorites using those sites. But once you have got in trought metal door, the treasure is unsecured.


    edit:
    Of course, best way to program secure game with flash, is to make flash-player be just a user-interface. It is very hard to code this kind of user-interface, it might be too slow for flash, but it would be secure.
    It wouldn't accept any invalid commands.
    Commands would be only basic "run, walk, jump, shoot" etc.
    If the hacker could decompile swf-file, it wouldn't help him a bit.
    Last edited by TeroLebe; 05-25-2005 at 09:53 AM.

  13. #13
    Custom User Title Incrue's Avatar
    Join Date
    Feb 2004
    Posts
    974
    Now i am completely lost
    1.This php that the swf loads variables from it,this php is the cookie?

    2You mean,the php who calls the swf dont stay in cache?
    --------
    Anyway,i want to do the folowing:
    The swf sends and loads variables to a php
    Flash send:varcontent=1
    The php receives and echo another variables to send them to flash,ex:
    enemies=4;lives=3;leprechaun="iwanttoeatu";sizeofs quare=45
    Them swf receives those variables
    And,only when the swf knows he has received those variables,he goes send and load another variables to the SAME php
    He sends: varcontent=2
    The php receives,and,if varcontent=2, echos another variables to flash:
    enemies=0;lives=0;leprechaun="",sizeofsquare=0
    Flash will not do anything with those new variables, he already has put the old variables inside other variables and that will be the ones he will use to run the game
    And in the end, the thief will not find the php who send the variables in cache, and if he tries to run those php, the php will output the wrong content
    What do you think?Obsessive compulsive?Yes, i am...

  14. #14
    Senior Member TeroLebe's Avatar
    Join Date
    Mar 2003
    Location
    Lahti, Finland
    Posts
    302
    sorry, but looks like we weren't talking about same thing...

  15. #15
    Custom User Title Incrue's Avatar
    Join Date
    Feb 2004
    Posts
    974
    Very true, after the --------- i was just showing a idea who has something to do with 'dont make a php stay in cache'
    I still didnt understand what you were talking about; this protect the swf before it loads is just about hidding his name, isnt it?And the name cames from the cookie, rigth?
    But if the thief still can catch the swf in cache he will see the name of the swf...
    gosh i have to stop thinking about this...

  16. #16
    Senior Member TeroLebe's Avatar
    Join Date
    Mar 2003
    Location
    Lahti, Finland
    Posts
    302
    Originally posted by Incrue
    this protect the swf before it loads is just about hidding his name, isnt it?
    Kind of.... The filename is not hidden, it more like "game_file.php"

    Php will change the content of this file according to the data stored into the Cookies. If Cookies value is valid, then game_file.php contains the game-swf, if not, it contains hotlinked.swf -file.

    Originally posted by Incrue
    And the name cames from the cookie, rigth?
    No. Cookies are only used to store the temporary data, to see if user is trying to run the file on a real server.
    And leechers are not so easily given a opportunity to hotlink this file, because Cookies contains the hashed time. So the valid value is changed once in 10 seconds.

    Originally posted by Incrue
    But if the thief still can catch the swf in cache he will see the name of the swf...
    Well, not the real filename, but because the game is browser based, the file itself is stored to the cache.
    Last edited by TeroLebe; 05-27-2005 at 10:08 AM.

  17. #17
    Senior Member TeroLebe's Avatar
    Join Date
    Mar 2003
    Location
    Lahti, Finland
    Posts
    302
    Originally posted by Incrue

    Flash send:varcontent=1

    The php receives and echo another variables to send them to flash,ex:
    enemies=4;lives=3;leprechaun="iwanttoeatu";sizeofs quare=45

    Them swf receives those variables

    He sends: varcontent=2
    The php receives,and,if varcontent=2, echos another variables to flash:
    enemies=0;lives=0;leprechaun="",sizeofsquare=0
    OK, don't see the point of sending useless variables. If i'd decompiled an swf, I would look for the code, I could easily see what your code does (And what it doesn't) in the swf-file.

  18. #18
    Custom User Title Incrue's Avatar
    Join Date
    Feb 2004
    Posts
    974
    Thats cos i am breacking my head to make a code who will only make sense and works fine if it has the correct variables

  19. #19
    Senior Member TeroLebe's Avatar
    Join Date
    Mar 2003
    Location
    Lahti, Finland
    Posts
    302
    Originally posted by Incrue
    Thats cos i am breacking my head to make a code who will only make sense and works fine if it has the correct variables
    My Friend, Have You ever heard of MD5?

    Send variables with md5 hash (hash contains also those variables in a string), so it would be so easy to "hack" your system. Also there is a weakness, because decompilers will show the seed of your hash in the actionScript, but it will reduce hacking.

    md5 is opensource hashing metod, so it will be easy to find in the internet.

    make your code only accept variables if the md5-hash is correct to those variables.

  20. #20
    Member
    Join Date
    Dec 2004
    Location
    Sweden
    Posts
    84
    Hi

    I have one question.

    What I can see I can use some PHP script too stop caching a page with a SWF file.

    Now I have a swf and a FLV file that I dont want to caching in the browser.
    Is that any actionscript I can use that do that?
    Cazz

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  




Click Here to Expand Forum to Full Width

HTML5 Development Center