Music Player Security - How do I hide the browser URL?

Here is a chance for you to make my developers look bad.

I have hired these guys to development my website which, in part, has music demos available to my users. These demos must include the entire piece with a spoiler in the background so users can not record them freely. The files must be secure! My original request was to have them build an application that merged the two files (spoiler and original music) into a single mp3 file and have this available as the demo. Then it would be OK if users were to download the demo.

However, my developers choose to do it this way instead. They use Flash Player to play both the spoiler sound and the original music simultaneously. This seems to work OK except the browser window containing the demo includes the URL. Even a simple hack like me can use this URL to access the source code of the page and identify the mp3 (or other type) music file address. With this the music file can be freely downloaded (without the spoiler). My developer tells me he can not make the page appear without the URL. There must be a way to do this. Is there a way?

Here is a link to my web site page containing demos. You can click on the music icons to initiate the demo and see the browser window, with the URL exposed.

http://www.gracesskatecloset.com/allMusicForsale.aspx?size=2

Note this site is under development and will be changing as better solutions are found. Note that my developer’s latest fix was to put a password on the music directory. I don’t know what he was thinking. This completely defeats the purpose of the demo. Users can no longer hear the demos. However, you can still see the browser window with the URL exposed as discussed here.

re: Music Player Security - How do I hide the browser URL?

im a bit confused, you're asking if you can play the music without the direct link, correct?

re: Music Player Security - How do I hide the browser URL?

The only way to securely do this is by having the two sound files merged before they are every touched by Flash. I would strongly suggest that you maintain a "dirty" version of the sound file in the database along with the "clean" one and only download the clean one once it has been purchased. You would be quite smart to make sure that the locations (i.e. URLs) are not set up in such a way that there is no foreseeable relationship between the "dirty" and "clean" filenames/URLs.

The reason for this is that even though you may not be able to "see" the URL directly, someone could easily take a packet sniffer and use the relationship between the two files to extrapolate your entire database.

Additionally, your Flash application should never have direct contact to your "pay" content.

Finally, fire your smacktard employees and hire real programmers who are experienced in the use of business logic.