5 replies to this topic

[svgmx5]

The issue i'm having is that i have several audio files that i don't want to allow anyone else to gain access to them. Each file is in a separate folder inside a main folder, that i'll call "download" for now. So "download" has several other directories, and inside each directory are audio files.

Those audio files are played with in a web app on the system. The issue is that right now anyone can type in the full address of the file "localhost.com/download/dir/file.mp3" and play the audio file. This is what i want to prevent from happening, i want those files to only stream when they are access or streamed from our application.

I tried the following on the .htaccess file

deny from all

This just returned an 403 forbidden page, but i was unable to stream the file from the application

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)localhost.com/.*$ [NC]
RewriteRule \.(mp3|wav)$ - [F]

This just disabled the stream all together did not return a 403 or anything it just did not stream from neither the application or direct access

Finally i'm using ajax to call the script that holds the files to be streamed, could this be the issue? are there any options i can use?

Thanks in advanced

[requinix]

It is impossible to prevent the user from accessing those files: in order to hear them they have to be downloaded to the user's computer. The best you can do is encrypt the files and decrypt them in the player. But even then the player could be reverse-engineered and someone could discover the encryption key and algorithm.

[svgmx5]

darn..that's what i was afraid off. Well thank you for the response eitherway

[svgmx5]

Ok so i think i got this issue taken care off. What i did was put all the files outside the root folder and i created a PHP script to stream them. So now all i do is use the <audio> tag and use a url that looks like this "streamtest.phpf?file=file123.mp3" this seems to do the job for now.

[kicken]

Someone could still just access that PHP file and download the mp3's via it, no different than accessing the files directly.

[svgmx5]

True that, but the way the site is set up is that the user has to log in to access the files. So i set it up in a way where it checks if the user has an active session along with a few more things in order to only allow the user who is already logged in access to stream the file. At this point that's the best i can do, i realize that nothing on the net is safe, but i feel that for the average user this will work for now. Of course if anyone else has any other suggestions on what else i can do i'm all ears