How to Prevent Browser Caching?

**TeroLebe** · 10-10-2004, 03:40 AM

I've done a game with Flash that uses variables on a PHP-pages (loadVariables)... But I noticed that the Browser has left the php-pages I've used in a Windows Temporary-internet-pages-folder. So it's a major security problem, if user can use these pages over and over again.

1)
Is there any way to prevent browser to cahching these php-pages?

edit:
And I don't mean just using "mypage.php?junk="+Math.random()
These sites get cached too, the browser just don't know they are all the same site... You can find all of these pages in Temporary-Internet-Files-Folder.

**T1ger** · 10-10-2004, 06:39 AM

PHP Code:


header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");

header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");

header("Cache-Control: no-store, no-cache, must-revalidate");

header("Cache-Control: post-check=0, pre-check=0", false);

header("Pragma: no-cache");

Just add this to the top of your page

Edit: sent you a pm

**TeroLebe** · 10-10-2004, 07:25 AM

Thanks T1ger, It seems to be working.

I just don't want to show my variables names etc. to the players.

**Phlook** · 10-10-2004, 11:31 AM

I wonder, would the script work to prevent caching a .swf file?

**token 3** · 10-10-2004, 11:47 AM

Phlook - this won't stop people who want to from getting their hands on the .swf but it will stop idiots (like me), 56kb users won't like it though - redownloading the .swf everytime they refresh of visit your site

Code:

$fp = fopen("mov.swf", "r");
header("Content-type: application/x-shockwave-flash");
header("Cache-control: no-cache");
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");
fpassthru($fp);

**TeroLebe** · 10-11-2004, 02:59 AM

thanks token3, that was usefull.

I was kind of looking for that code too.
with that php-code I can now load different content with same filename even that user even knows it...

**epox123** · 02-03-2005, 07:51 PM

Can some one please post a full php example with flash embed code and all, im a newb and i dont know how to write php.

Also if some one could please explain what to do

NM i tuck me a few minuts to figure it out i look at your source and saw that the flash opens the file thats smart LOL

now i have to figure out how to do my xml files

**Incrue** · 05-25-2005, 01:22 AM

Hi Terolebe
I want to do the same as you, just wondering how this is working
Also, i know php has some kind of encriptation, but i dont know for sure how it works; i was just wondering if it wouldn't be better to make this php,( the one who has the variables and that is not cacheable) encriptated, so that even if a thief hack my server he willnot be able to read my variables

**TeroLebe** · 05-25-2005, 03:24 AM

Originally posted by Incrue
Hi Terolebe
I want to do the same as you, just wondering how this is working
Also, i know php has some kind of encriptation, but i dont know for sure how it works; i was just wondering if it wouldn't be better to make this php,( the one who has the variables and that is not cacheable) encriptated, so that even if a thief hack my server he willnot be able to read my variables

I think SessionCookies are sitebased, so thief cannot set cookies anywhere else than Your site. So he/she had to change whole php-code.

I think the protection has worked good enough. Only problems are frames and iframes, but it is solved putting more content on my www-site (more than the game and hi-scores), so everybody playing my game would see the gamesite is leeched.

use token 3's code to make dynamically swf-file.
Pass a valid key from the mainsite (in the sessioncookies, that it wouldn't be so easy to see).

key would be something like this md5(sha1("own_keyword1".md5("own_keyword2".round(t ime()/10))))

so the key will change once in a 10 seconds, but yo still have to check the last 10 seconds key, just to make sure user hasn't used file just before the seconds had changed.

Change $fp to swf-file, according to key is valid or not.

**Incrue** · 05-25-2005, 03:57 AM

Ok, but take it easy, i am a bit confused here...
I was thinking in flash loading variables from a php file, i dont understand what cookies has to do with it

Originally posted by TeroLebe
I think SessionCookies are sitebased, so thief cannot set cookies anywhere else than Your site. So he/she had to change whole php-code.

Originally posted by Terolebe
I think the protection has worked good enough. Only problems are frames and iframes, but it is solved putting more content on my www-site (more than the game and hi-scores), so everybody playing my game would see the gamesite is leeched.

use token 3's code to make dynamically swf-file.
Pass a valid key from the mainsite (in the sessioncookies, that it wouldn't be so easy to see).

key would be something like this md5(sha1("own_keyword1".md5("own_keyword2".round(t ime()/10))))

so the key will change once in a 10 seconds, but yo still have to check the last 10 seconds key, just to make sure user hasn't used file just before the seconds had changed.

Change $fp to swf-file, according to key is valid or not.

The goal of this part is to prevent iframe, rigth?So if he tries to iframe the name of the swf it will not work, isnt it?

Also, back to loading the variables stuff, And if he tries to catch the php file from the server?Not sure if this is possible, becouse php is running in the server and them send to browser just html format, rigth?
But, IF it is possible, them why not put those variables inside a mysql?

**TeroLebe** · 05-25-2005, 09:39 AM

Originally posted by Incrue
Ok, but take it easy, i am a bit confused here...
I was thinking in flash loading variables from a php file, i dont understand what cookies has to do with it

No no no! You got it all wrong. I ment protect flash before it loads. So my code was pure php. So users only see "nohotlinking.swf" if they try to access swf file from another site.

It is more secure than trying to protect with ActionScript.

**TeroLebe** · 05-25-2005, 09:47 AM

Originally posted by Incrue
IF it is possible, them why not put those variables inside a mysql?

It is possible, it actually doesn't differ much from basic php-programming when using mysql, but Flash cannot access directly to the mysql database. You have to use php to print those variables out. Then again, those variables are let seen, if the user knows the right php-page.

Using different keycode-cookies, that comes valid only when running them from the real site prevents bit unauthorites using those sites. But once you have got in trought metal door, the treasure is unsecured.

edit:
Of course, best way to program secure game with flash, is to make flash-player be just a user-interface. It is very hard to code this kind of user-interface, it might be too slow for flash, but it would be secure.
It wouldn't accept any invalid commands.
Commands would be only basic "run, walk, jump, shoot" etc.
If the hacker could decompile swf-file, it wouldn't help him a bit.

**Incrue** · 05-26-2005, 02:18 PM

Now i am completely lost
1.This php that the swf loads variables from it,this php is the cookie?

2You mean,the php who calls the swf dont stay in cache?
--------
Anyway,i want to do the folowing:
The swf sends and loads variables to a php
Flash send:varcontent=1
The php receives and echo another variables to send them to flash,ex:
enemies=4;lives=3;leprechaun="iwanttoeatu";sizeofs quare=45
Them swf receives those variables
And,only when the swf knows he has received those variables,he goes send and load another variables to the SAME php
He sends: varcontent=2
The php receives,and,if varcontent=2, echos another variables to flash:
enemies=0;lives=0;leprechaun="",sizeofsquare=0
Flash will not do anything with those new variables, he already has put the old variables inside other variables and that will be the ones he will use to run the game
And in the end, the thief will not find the php who send the variables in cache, and if he tries to run those php, the php will output the wrong content
What do you think?Obsessive compulsive?Yes, i am...

**TeroLebe** · 05-27-2005, 02:38 AM

sorry, but looks like we weren't talking about same thing...

**Incrue** · 05-27-2005, 07:06 AM

Very true, after the --------- i was just showing a idea who has something to do with 'dont make a php stay in cache'
I still didnt understand what you were talking about; this protect the swf before it loads is just about hidding his name, isnt it?And the name cames from the cookie, rigth?
But if the thief still can catch the swf in cache he will see the name of the swf...
gosh i have to stop thinking about this...

**TeroLebe** · 05-27-2005, 10:04 AM

Originally posted by Incrue
this protect the swf before it loads is just about hidding his name, isnt it?

Kind of.... The filename is not hidden, it more like "game_file.php"

Php will change the content of this file according to the data stored into the Cookies. If Cookies value is valid, then game_file.php contains the game-swf, if not, it contains hotlinked.swf -file.

Originally posted by Incrue
And the name cames from the cookie, rigth?

No. Cookies are only used to store the temporary data, to see if user is trying to run the file on a real server.
And leechers are not so easily given a opportunity to hotlink this file, because Cookies contains the hashed time. So the valid value is changed once in 10 seconds.

Originally posted by Incrue
But if the thief still can catch the swf in cache he will see the name of the swf...

Well, not the real filename, but because the game is browser based, the file itself is stored to the cache.

**TeroLebe** · 05-27-2005, 10:12 AM

Originally posted by Incrue

Flash send:varcontent=1

The php receives and echo another variables to send them to flash,ex:
enemies=4;lives=3;leprechaun="iwanttoeatu";sizeofs quare=45

Them swf receives those variables

He sends: varcontent=2
The php receives,and,if varcontent=2, echos another variables to flash:
enemies=0;lives=0;leprechaun="",sizeofsquare=0

OK, don't see the point of sending useless variables. If i'd decompiled an swf, I would look for the code, I could easily see what your code does (And what it doesn't) in the swf-file.

**Incrue** · 05-27-2005, 07:21 PM

Thats cos i am breacking my head to make a code who will only make sense and works fine if it has the correct variables

**TeroLebe** · 05-30-2005, 07:31 AM

Originally posted by Incrue
Thats cos i am breacking my head to make a code who will only make sense and works fine if it has the correct variables

My Friend, Have You ever heard of MD5?

Send variables with md5 hash (hash contains also those variables in a string), so it would be so easy to "hack" your system. Also there is a weakness, because decompilers will show the seed of your hash in the actionScript, but it will reduce hacking.

md5 is opensource hashing metod, so it will be easy to find in the internet.

make your code only accept variables if the md5-hash is correct to those variables.

**TheCazz** · 11-15-2005, 03:54 PM

Hi

I have one question.

What I can see I can use some PHP script too stop caching a page with a SWF file.

Now I have a swf and a FLV file that I dont want to caching in the browser.
Is that any actionscript I can use that do that?

Thread: How to Prevent Browser Caching?

Thread Tools

Display

How to Prevent Browser Caching?

Posting Permissions