Hi,

I'm looking for a way to protect coursecontent like -images and flash against deeplinking.

Situation 1:
I uploades content like SWF-files in the mediamanager within the course.
I opened the course to read the content. I viewed the pagesource (browser function) and I can see the location and the name of the flashfile. I copied the location, closed the studentsession an pasted this flashlocation in my browser. I can still view this flashfile. Now I can post these flashlocation on forums worldwide and everybody can view this content without paying for the course.

Situation 2:
I created a folder in the docebo-directory. named content. In this folder I uploaded a flashfile. I protect this folder with .htaccess so only accesable out of the docebo-area. I use in the course-html a javascript so this flashfile will appear in a pop-up. (the pop-upscript refers to a htm-file, wich contains the adress of the flashfile. (also this folders contains a htm-file and the reffering flashfile)It al works fine with FF, Chrome, Opera, exept with IE.

After reading some forum-postings I noticed that IE is giving some problems with sending its refferrer!

Using a htaccess-file which is blocking BLANK-REFERRER, IE can not acces this folder because combined with a "flashrequest" it is not sending its referrer!  disable this blank-referrer-part in this htacces-file makes this folder vulnerable for deeplink-abuse.



I want to use media like flash opening in a popup the reason for using popups: using a lot of flash and/or movie-files in a course the use of popups decreases the traffic and time the complete page is loades. Only the flashfiles which are chosen by the user wil generate traffic and open in the browser. So when a student is accessing a lession several times, the browser is not opening any popup(with media) until the student has clicked one. Using popups is makes it possible to use different resolutions of media-files and so the user can make a choise for resolution and/or fyletype (eg: swf/mov/avi/quicktime etc)

My question:

How can I use media-files inside docebo without these files being vulnerable for deeplinking

I'm using a popupscript like this:

<script type="text/javascript"><!--
        function popUp(URL) {
        day = new Date();
        id = day.getTime();
        eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=800,height=600,left = 560,top = 300');");}
// --></script>
<a href="javascript:popUp('http://www.website.com/content/popup_page.html')"><span><strong>Click here</strong></span><br />Flash about xxx </a>

the page popup_page.html contains the following code:

<html>
    <head>
          <meta http-equiv="content-type"
         content="text/html; charset=ISO-8859-1">
        <title>    Flash-presentation X</title>
    </head>
<body>
    <center>
        <OBJECT CLASSID="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" WIDTH="800" HEIGHT="586" CODEBASE="http://
            active.macromedia.com/flash5/cabs/swflash.cab#version=5,0,0,0">
            <PARAM NAME=movie VALUE="flashfile_X.swf">
            <PARAM NAME=play VALUE=true>
            <PARAM NAME=loop VALUE=false>
            <PARAM NAME=quality VALUE=low>
                <EMBED SRC="flashfile_X.swf" WIDTH=800 HEIGHT=586 quality=low loop=false TYPE="application/x-shockwave-flash"
                    PLUGINSPAGE="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash">
                </EMBED>
        </OBJECT>
    </center>

</body>
</html>


so the problem is IE6 and IE7 which is not sending referrers to the server so .htaccess protection against deeplinking does not work
As well by using some firewalls an proxyservers its possible that other browsers as wel can't send the referral to the server it might be blocked by the firewall and/or proxy as well!

So the option .htaccess with blocking blank referrer is not usable for protection.
I there some way to use something with get.php? (i'm not familiar with that).

Maybe there's a possibillity to use some session-ID of some cookies to solve this problem??
I'm also not familiar with that.

I hope somebody can help me

thanks a lot in advance

see also http://www.webmasterworld.com/forum10/2566.htm
and: http://www.experts-exchange.com/Software/Internet_Email/Web_Browsers/Internet_Explorer/Q_22760746.html

Why you need to protect from the LMS and you don't protect the flash file? For example you can add a script that let execute the flash file only if called from a correct domain
Claudio 

I want to protect the flashfile against deeplinking OUTSIDE the LMS  so people can not use the flashfiles without acces to the course.

I can protect the folder of the flash with .htaccess script. but using a blank-refferrer-blocking IE(Internet Explorer) can not access the flashfile (opera, Chrome, FF works without problem)

.htaccess is controlling the access to the folder bij checking the refferrer (from where the request is made) in this way it is possible to grant access only for referreres made from the inside of the LMS (www.mywebsite.com/docebo) so far no problem. This is also what you quoted "add a script that let execute the flash file only if called from a correct domain"( As far as I understand your reply)
A blank-refferrer means the browser is not sending the refferrer (from where the request is made) this is happening with IE by requesting FLASHfiles. Its a wel-known problem (only with flashfiles) see url-links posted in the first message). It is possible that some firewalls and proxyservers block refferers as well.  When I'm not using blank-referrer-blokking, it's very simple to access the flashfiles(view) without being a student. By using IE and filling in the URL, somebody copied from the inside of a lesson (during a paid access). So when people are start to post these url's (to the flashfiles) in forums /p2p etc. the created course-content is free available. So by not using blankrefferrer-protection htaccess is useless.




explanation 1
In the coursecontent I'm using a javascript for the popup:

<script type="text/javascript"><!--
        function popUp(URL) {
        day = new Date();
        id = day.getTime();
        eval("page" + id + " = window.open(URL, '" + id + "', 'toolbar=0,scrollbars=0,location=0,statusbar=0,menubar=0,resizable=0,width=800,height=600,left = 560,top = 300');");}
// --></script>
<a href="javascript:popUp('http://www.website.com/content/popup_page.html')"><span><strong>Click here</strong></span><br />Flash about xxx </a>

Explanation 2:
This script is opening a new window(popupsize) with a html-code like this:
<html>
    <head>
          <meta http-equiv="content-type"
         content="text/html; charset=ISO-8859-1">
        <title>    Flash-presentation X</title>
    </head>
<body>
    <center>
        <OBJECT CLASSID="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" WIDTH="800" HEIGHT="586" CODEBASE="http://
            active.macromedia.com/flash5/cabs/swflash.cab#version=5,0,0,0">
            <PARAM NAME=movie VALUE="flashfile_X.swf">
            <PARAM NAME=play VALUE=true>
            <PARAM NAME=loop VALUE=false>
            <PARAM NAME=quality VALUE=low>
                <EMBED SRC="flashfile_X.swf" WIDTH=800 HEIGHT=586 quality=low loop=false TYPE="application/x-shockwave-flash"
                    PLUGINSPAGE="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash">
                </EMBED>
        </OBJECT>
    </center>

</body>
</html>

This htmlpage is located: www.mywebsite.com/docebo/content/
this folder is not protected bij session-id or sessioncookies. It's a self-created folder.
This folder I want to protect with .htaccess. IE is sending its refferrer for each file request EXEPT with a flashrequest. Then it's a BLANK-reff.  so no acces to the flashfile. So the popup will stay empty.

explanation 3:
The folder www.mywebsite.com/docebo/content/ also contains the flash.swf file which is loaded by the flash.html file.

so how can I use flashfiles in a POPUP which are uploades in the media/file-manager
I need to open the flashfiles in a Popup (see first posting)
maybe there are some folders within Docebo I can use for storage of these flashfiles by using FTP?
verry important that those folders are not accessable by the browser without being logged in!

I hope you can help me Claudio

I would be verry gratefull

IS that a SCORM compliant content?
Claudio 

HiClaudio,

I don't know if it's Scorm-compliant. It's a flashfile I made, which appears in a popup by using the script mentioned above  in a html page wich is created in an external html-editor (GEdit = Gnome editor)

So I want to create a lesson in HTML which reffers to a flash.html  (this flash.HTML contains a path to the flash.SWF)
In this way the page with the flashfile (html+swf) opens in a popup.

I hope you can help me?

Try to create a scorm compliant course, then without the api.js you can't attend the course.
It's important that you create "serious" e-learning content and scorm is the best.
Claudio 

Hi Claudio,

Thanks for your quick reply,

I don't know anything about scorm except it's a open standard to contain course-material and media, in this way it ś easier to import and export complete courses.
I think it should be wise for me to find out more about scorm.

I have e few questions about the possibillities of scorm:

1. is use of popups with flash possible in scorm?
2. is javascript useable in scorm?
3. is it possible to create and export a scorm-course out of Docebo?
4. can you suggest me some url's to learn more about scorm?

I also have a lot of "problems" with the used DocStyleDefenition when using mouse-over javascript (only in IE) I read on forums:
Depending on the document type declaration present in the HTML document, the browser will switch into either quirk mode or standard mode. If there is no document type declaration present, the browser will switch into quirk mode.
So by deleting the doctypedefinitions in the HTML of docebo the mouseover-java works correctly in all browsers and IE, after using the original doctypedefinitions javascript mouseovers still working in other browsers except IE 6 & 7  (only tested these 2)

so question 5,
Is this DSD-problem also solved by using scorm-compliant content.

because at the moment I'm preparing all my courses in plain HTML, and copy-paste this into an empty HTML-page in the course


(iḿ still in testing mode)


thanks a lot

regards
Patrick

1) yes
2) Yes, it's mandatory
3) Docebo is an LMS not an authoring tool, then you can Import scorm course in Docebo
4) You can start using authoring software that generate scorm. I Suggest: Articulate, Captivate, Exelearning and, for creating organizations, the Reload editor

Claudio 

Hi Claudio

I have tested something out:

I uploaded a flashfile into the demo-Lms and placed this flash in a page:
http://www.demo.docebo.org/doceboLms/index.php?modname=organization&op=custom_playitem&edit=1&id_item=25

When I view the page I can also view the pagesource. over there I can find the path to the flashfile:
http://www.demo.docebo.org/files/common/users/1368_10_1237551903_test.swf

Unfortunally it is possible to deeplink to this file just by using the path/url mentioned:
http://www.demo.docebo.org/files/common/users/1368_10_1237551903_test.swf

So by seeding this url (forumpostings and deeplinking in other sites) NON-students still have access to this content.


I am sure I did test it on another computer with a different IP-number.
So it can NOT  be a session_ID, Cookie or IP-recognition
So how can I avoid this?


regards Patrick

For example you can limit SWF progression to the api.js start execution ...
It's all a lerning object problem, not platform. In my hopinion the best thing you can do is explore how to protect flash content and not focus on LMS. I mean, LMS depends on the server anyway ...
Claudio 

Ok Claudio,

thanks for your reply,

Now I'm focussing on some javascript and cookie-protection for the swf-files itselfs.  
like you mentioned.

regards Patrick