Jump to content


Photo

Block Direct Access to files


  • Please log in to reply
5 replies to this topic

#1 svgmx5

svgmx5

    Advanced Member

  • Members
  • PipPipPip
  • 301 posts
  • LocationUS

Posted 07 February 2013 - 11:29 AM

The issue i'm having is that i have several audio files that i don't want to allow anyone else to gain access to them. Each file is in a separate folder inside a main folder, that i'll call "download" for now. So "download" has several other directories, and inside each directory are audio files.

Those audio files are played with in a web app on the system. The issue is that right now anyone can type in the full address of the file "localhost.com/download/dir/file.mp3" and play the audio file. This is what i want to prevent from happening, i want those files to only stream when they are access or streamed from our application.

I tried the following on the .htaccess file

deny from all
This just returned an 403 forbidden page, but i was unable to stream the file from the application

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)localhost.com/.*$ [NC]
RewriteRule \.(mp3|wav)$ - [F]

This just disabled the stream all together did not return a 403 or anything it just did not stream from neither the application or direct access

Finally i'm using ajax to call the script that holds the files to be streamed, could this be the issue? are there any options i can use?

Thanks in advanced

#2 requinix

requinix

    Hopeless Member

  • Moderators
  • 5,992 posts
  • LocationWA

Posted 07 February 2013 - 02:11 PM

It is impossible to prevent the user from accessing those files: in order to hear them they have to be downloaded to the user's computer. The best you can do is encrypt the files and decrypt them in the player. But even then the player could be reverse-engineered and someone could discover the encryption key and algorithm.
When in doubt, CHECK YOUR ERROR LOG

#3 svgmx5

svgmx5

    Advanced Member

  • Members
  • PipPipPip
  • 301 posts
  • LocationUS

Posted 08 February 2013 - 01:17 PM

darn..that's what i was afraid off. Well thank you for the response eitherway

#4 svgmx5

svgmx5

    Advanced Member

  • Members
  • PipPipPip
  • 301 posts
  • LocationUS

Posted 12 February 2013 - 07:21 AM

Ok so i think i got this issue taken care off. What i did was put all the files outside the root folder and i created a PHP script to stream them. So now all i do is use the <audio> tag and use a url that looks like this "streamtest.phpf?file=file123.mp3" this seems to do the job for now.

#5 kicken

kicken

    Wiser? Not exactly.

  • Gurus
  • 2,679 posts
  • LocationBonita, FL

Posted 12 February 2013 - 07:57 AM

Someone could still just access that PHP file and download the mp3's via it, no different than accessing the files directly.
Recycle your old CD's, don't trash them!
Did I help you out?  Feeling generous? I accept tips via Paypal or Bitcoin @ 14mDxaob8Jgdg52scDbvf3uaeR61tB2yC7

#6 svgmx5

svgmx5

    Advanced Member

  • Members
  • PipPipPip
  • 301 posts
  • LocationUS

Posted 12 February 2013 - 09:17 AM

True that, but the way the site is set up is that the user has to log in to access the files. So i set it up in a way where it checks if the user has an active session along with a few more things in order to only allow the user who is already logged in access to stream the file. At this point that's the best i can do, i realize that nothing on the net is safe, but i feel that for the average user this will work for now. Of course if anyone else has any other suggestions on what else i can do i'm all ears




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Cheap Linux VPS from $5
SSD Storage, 30 day Guarantee
1 TB of BW, 100% Network Uptime

AlphaBit.com