I had some good comments on my post about the lack of a “no cache” feature in Flash/Central, but there was some confusion about why this feature is necessary.. and
most people seemed to accept that preventing caching of SWFs delivered via
the web to the Flash Player is impossible. so.. I dug back through my old
files.
First you need to accept a few things:
- It’s easy to use an application other than a web browser to request
files from a web server, and so your efforts to instruct the
browser to not cache the file can be circumvented. - Some browsers will ignore your instructions
to not cache the files.. FireFox is one that will cache SWFs no matter
what I try. - Your efforts will only prevent the "honest" people from getting your
SWF. Someone who is determined WILL get your SWF.
If you’re still reading then I’ll assume you just want to make it a little
harder for someone to get your SWF, and you realize that at best you’re going
to stop 80 or 90% of the people from getting that precious SWF.
Still interested? Then try this..
- check your browser cache. On Windows XP
using Internet Explorer it is typically located here:
C:Documents and Settings%your username%Local SettingsTemporary Internet
Files
Mozilla is typically something like:
C:Documents and Settings%your username%Application DataMozillaFirefoxProfilesdefault.8wqCache - Sort the contents of that folder by "Last Accessed" so you can see the most
recently accessed files at the top. - Now click this link to open a new browser window: http://www.oddhammer.com/tutorials/nocache/SWF_security.html
- And now refresh your browser cache folder and you should not see the SWF_security.html
file, a GIF, and a couple of SWF files listed in there. If you do see
them, then count yourself in the 10% (just a guess..) who are going to cache the
files despite my best efforts. I already know that Firefox does not cache
the HTML or GIF files, but it does cache the SWF files.. I just don’t
know why.
If you didn’t see the files in your cache then you might be wondering how
I did that..
In my httpd.conf file (for Apache) I added this:
ExpiresActive On
header append cache-control: "no-cache"
header append pragma: "no-cache"
header append expires: "-1"
for the folder.. so everything I place in that folder will be sent with
the HTTP headers instructing the browser to not cache it.
From what I’ve found on the web those directives _should_ instruct Mozilla/FireFox
to NOT cache the HTML, GIF, or SWFs… but it still caches the SWFs.
There are similar "per folder" settings for IIS.
You can also set the headers in HTML,
ASP, PHP, etc.. via Meta tags and there’s info here: http://www.htmlgoodies.com/beyond/nocache.html but
I think that only applies to the page itself, and does not apply to all the
subsequent SWFs loaded from a "parent" SWF. So if my SWF loads other
SWFs then simply putting the nocache directives in the HTML file will not
prevent those additional SWFs from being cached (at least that’s what I’ve
found..).
You can also read the technote from Macromedia (last updated Sept of 2000)
here: http://www.macromedia.com/support/flash/ts/documents/prevent_caching.htm but it uses the Meta tag route.
Also, some folks are only interested in forcing the browser to always load
the latest version of a SWF by adding a random number to the end of the URL..
and others try to prevent caching of audio files and images by sending them
through a Flash Communication server (that’s pretty extreme..). Different
needs require different solutions.
Now.. back to my original rant..err point.. these solutions are merely workarounds.
I shouldn’t have to make changes to my server, or rely on Meta tags in the
HTML file, or have to send images through the FlashComm server… I should
be able to tell the Flash Player to load a SWF or an audio file and NOT cache
the file.
02 Oct 2004 at 02:34 pm | #
all this time, preventing caching was about preventing people from getting hold of your SWFs? c'mon... there are tools that make that easy... so that, i don't think those _really_ interested in your swfs resort to cached files...
...now, i think the &#xta;ge of people who can actually access your swfs if they so desire is much larger than u think here, but if u acknowledge that a certain 10% can actually get to the swfs (and that shd be so simple), then that 10% is actually those who possess the skill it takes to _really_ make anything out of your swf (so that the other might have had access, but probably couldn't do jack with it)... doesn't that defeat the purpose?
- eokyere
02 Oct 2004 at 03:17 pm | #
yeah.. I agree.. not caching a SWF definitely doesn't do much to protect it.. but that's one of the requirements I've been handed for a project. It does make it less likely that someone will just stumble upon the file in an obvious place though, so it's something that does need to be taken care of.
And like I said, it's easy to circumvent this..
03 Oct 2004 at 08:42 pm | #
I agree with previous comments. I think the bigger issue, rather than security, is that cached swf files can tend to get 'stuck'. Many browsers won't recognise a newer flash movie of the same name on the remote site, so updates and bug fixes to Flash applications may not be picked up by repeat visitors.
There's a number of documented workarounds for this issue, my favourite being to append an incremental value like getTimer(), or specific version number onto the end of each loadMovie url as a quierystring variable -- eg: loadMovie("myswf.swf?noCache="+getTimer()) or loadMovie("myswf.swf?noCache="+myApp.version).
But you have to balance all this with the fact that circumventing the cache forces your repeat vistors to reload all the flash movies each time, which can slow down access dramatically, and needlessly increase your site traffic.
12 Oct 2004 at 01:46 pm | #
Why not rename them into .gif or jpg or whatever, makes them harder to find and afaik, Flash doesn't care about the extension when instructed to load..?
13 Oct 2004 at 06:56 am | #
I don't agree.
Actually, I got the .swf file from my Cache ,even after I closed my browser.
btw,path of Cache:
I:Temp FilesTemporary Internet FilesContent.IE5X5M6WBB3SWF_security2[1].swf
Search in this folder ,plz---------------Temporary Internet Files, you will get it.
16 Oct 2004 at 09:41 pm | #
well.. I just viewed the page on both XP and win2k using IE6 and didn't find the files after searching all drives.. I did look in the "Temporary Internet Files" folders..
but it really doesn't matter.. I know that the files are going to be cached on some systems depending on what browser you're using, etc... the key is I have to tell my boss that I can't build a Flash application that loads SWFs and guarantee that the SWFs won't be written to the client system.
oh well... I guess I'm the only one (besides him) that thinks this is important. Time to start looking for a good farm for sale... one with sheep, goats, and maybe some chickens just for fun.
17 Oct 2004 at 09:47 am | #
Move your mouse to "Temporary Internet Files" folder, right click it and choose "Search",then type "*.swf" in the field, press <Enter>.
Good Luck.
http://dengjie.com/temp/search.gif
20 Oct 2004 at 01:32 pm | #
ok.. umm... like I said.. "I know that the files are going to be cached on some systems depending on what browser you're using, etc... "
I know what folders the SWF would normally be cached in.. and I know how to search for those files. They are NOT cached on most systems, but they ARE cached on some systems (as several people have pointed out.. again).
And like I've been saying all along.. it doesn't matter. The point is there's nothing in Flash that allows me to turn this "feature" off once and for all. I have to resort to hacks that don't work 100% of the time.
but.. if anyone else finds the SWFs.. please put your O/S, what browser (and include the version) you are using. I'm interested to see if anyone with IE6 on XP or Win2k can find the files..
19 Apr 2005 at 09:06 pm | #
With 2004, you can not re-load a modified swf into a continusly running movie without re-compiling the parent again.
You could with flash MX. But not with 2004, even with the 7.2 patch.
I am talking about running from the authoring environment, not the browser, so the append the rand number does not work here. I need to recompile my changes every 2 min, and now I have to recompile and re-run the unchanged parent swf everytime now too.
It does not matter if you clear your aso files and your browser cache. The old swf keeps loading back into the parent, when you use 2004.
This is actually a huge inconvience to me as I develp full blown casino games, and since I have changed to 2004 using as2, I find this 2004 cache bug really slows me down.
Woodie Dovich
26 Apr 2005 at 01:35 pm | #
Woodie.. I think you could have a small JSFL command in your IDE that deletes the SWF from your cache before testing the movie?
But.. I haven't run into this problem. I have a parent/child SWF situation and if I change the child and test the parent then the changes show up, so it might be a setting somewhere (maybe it's tied into your default browser??). ((using FMX04Pro 7.2 WinXP))
26 Apr 2005 at 08:24 pm | #
Thanks for the reply Mike,
I tried the JSFL command as well as manually deleting the aso files. I even deleted the child.swf before I recompiled it. And it still was the old ("deleted") child that I was looking at. I deleted my local dev folder swfs, and even the browser ones for good measure, even though I was not using the browswer.
The child must get cached in memory or something. I actually do not need to re-compile the parent. It is just that I need to see the traces, so I need to re-run and re-login the parent every time a child changes. To re-run the parent in the flash authoring environment means - re-compile.
My usual process with mx was keep the parent running, and using the parent menu system. Just unload the child game and reload it. That way I did not have to re-compile, re-login, re-select menu options in the parent every time the child changed.
I wonder if the problem comes from having both the child and the parent in the same 2004 project. I'll try not having the parent in the same project tomorrow at work and see how that goes.
And if that fails, next I will try dumping the flash 2004 authoring evvironment and see if I can survive with just MTASC and Sepy for most things.
01 Jul 2005 at 11:49 am | #
Hi Mike,
Since the last post to this blog was April 26th, I'm curious if you ever figured out how to do this more effectively? I tried the test and it worked flawlessly on IE, but Firefox cached all of the pieces of the page.
I also have a client who is interested in a way to deliver flash content that will not cache on any system -- since they are delivering secure documents and are considering flashpaper as a possible solution. They know that it may not be absolutely foolproof -- but at least make it very hard for a user to retrieve these docs later (if they are no longer an approved user for instance).
Thanks,
Brian
01 Jul 2005 at 08:30 pm | #
hmm.. I thought I added a link to this: http://oddhammer.com/tutorials/dont_cache/ it's a slightly better solution that seems to do a little better. Note that IE still caches the SWFs into the "super secret history of everything you've ever looked at on the web" folders which are only accessible via command line.. have I mentioned that MS sucks?
27 Aug 2005 at 11:22 am | #
mike that dont cache wont work with IE SP2 security issue apparently, yes MS SUCKS!
24 Feb 2006 at 02:05 am | #
So what is the final verdict?
I tested your movie in IE 6, Firefox 1.5, Firefox 1, and Netscape 4.8 (yes that old browser)
and could not find the test_cache.swf
Could you not block the OS and browsers that are caching it?