If all you're worried about is someone being able to call up your .flv on demand by faking that identifier in the flashvars, we've got a fairly good solution that we created when we built SexyPolitics.com... Upon loading, a PHP script creates a random token and writes it into a database table, keyed to the particular FLV you want to play (use a MEMORY engine for speed); that token is sent to Flash either in the initial flashvars or by a later URLRequest. When it's time to play the video, Flash then passes that token back to a PHP file which checks its validity, determines which .flv it refers to, deletes the token from the database, and streams the .flv file on success. Because the .flv is streamed through the PHP file that accepts or rejects the token, but resides in a folder blocked to the outside web by an .htaccess file, this prevents users from directly accessing the .flv; and since the token is single-use, they can't make a second request with the same token against the PHP file. It's not 100% fool-proof, but it ain't too bad.