How can I prevent users from downloading mp3s but still access via flash player?

[toasty]

So here's my site's situation.  On one of my pages I have a flash document that acts as a music player; this flash doc is accessing .mp3 files located in sub folders on my host's (linux) server.  The way the access is setup on my site a user can't access the folder the .mp3s are located in, however if they know the file names they [b]can[/b] link directly to the .mp3s to either download them or play them directly from a browser window.

I've tried chmod'ing access from the server to 700 or several variations however I haven't ended up with what I want.  It seems that the only way I can deny (via permissions) direct access to the files is to remove all but the owner permissions.  This however has the undesired effect of preventing the flash document from accessing them as well.

I've also tried password protecting the folder that they're in; however anytime any page accesses the flash document (because it's located on more then one page) the browser prompts for a username/password.  Also not desireable.  I want the "protection" to be as transparent as is possible.

Here's the directory structure:
[code]
root_folder
|_index.php (the main page that uses the flash doc)
|_audio_folder (contains the flash doc and audio files I want protected)
  |_flash.swf (plays the music files)
  |_song1.mp3
  |_song2.mp3
  |_songxxx.mp3
[/code]
If moving the .swf out of the audio_folder is necessary to protect the .mp3s, that's fine.  I just want the player to work with transparent access to the .mp3s [b]while[/b] preventing users from directly accessing/downloading my tunes.

Thanks for any help guys!

[obsidian]

I ran into the same problem with images at one point, and the way I handled it was to write an actual handler script that hits your folder and passes the data stream on to the calling script. The result in my case was that I was actually hitting a php file for the src of my img tags. Now, you may wonder how this helps... well, since you can reference files in a directory sub web-root via PHP, you have now allowed yourself to place your actual sound files below web root, therefore rendering them inaccessible to browsers. The key is that your php file has to know what type of file it's hitting and make sure that the content type (MIME type) of the data it outputs is valid for the document it's handling.

[toasty]

Thanks for the suggestion Obsidian, I think I get the theory behind it.  You wouldn't by chance have any example of code I might be able to play with would you?  I've had decent reverse engineering experience with PHP but as far as actual coding I fall in the nill category.

If not, that's cool, at least this gives me a little direction to head in. :)

[obsidian]

I don't have anything right off. I'll see if I can scrounge up the image one I used here at work. If not, I'm sure we'll have some other thoughts from some of the other guys on here.

[steviewdr]

Put the mp3's in a seperate folder.

Put a .htaccess file in the same folder with:
deny from all

You will then have to put a php file to serve out the mp3's. Something like:
<?
//name of this php file is: serve.php
$path = $HTTP_GET_VARS['filename'];
if (substr($path, -4,4) != ".mp3") {
                                  echo "bye bye";
                                  exit;
}
//echo "ok";
$file = basename($path);
$size = filesize($path);

header ("Content-Type: application/octet-stream");
header("Content-Disposition: attachment; filename=$file");
header("Content-Length: $size");

readfile($path);
?>

Call the above file then with:
serve.php?filename=mp3/song1.mp3

Or something similar. There is tons of options.

-steve