Block access to media files?

[DjMikeWatt]

Hi there... Having a hard time finding the best answer to this.

 

I'm working on a site that allows access to media files (mp3|flv) through the site. The site is a subscription service and uses php sessions to authenticate users. All pages that contain media files are protected and require authentication for access.

 

The problem is, if you subscribe for just a short time you would be able to figure out our naming conventions and paths to media (follow date structured directories). How can I prevent the file from being served outside of a particular page asking for it? Even more so, I need the paid users to be able to right-click save-as from that page, but still block access to anyone else trying to access it.

 

I've looked into mod_rewrites and from what I understand that would only be effective against hot-linkers, but wouldn't do anything to stop someone from just typing into their browser: http://mysite.com/media/2009/August/media_file.flv

 

I know there must be a way to do this, but I just don't know where to begin.

 

Any help is much appreciated.

[PFMaBiSmAd]

You need to dynamically output the files using a server side scripting language, such as php.

 

The link to the file would be http://mysite.com/output.php?file=xyz

 

The file output.php (or whatever name you choose for it) would take the $_GET['file'] value and output the actual file that corresponds to that value. The actual value xyz can be just about anything you want that relates to the actual media file, you could even generate unique values for each member/media file so that you know by the value which member the link was originally produced for. This will allow you to move your existing files to a folder that is outside your document root folder (closer to the disk root) so that anyone knowing the existing scheme can no longer access the files.

 

The file output.php also needs to check the $_SESSION variable that says the current visitor is logged in and is authorized to access the specific media file.

[DjMikeWatt]

I'm trying to follow you here... not quite there yet.

 

I do use php, in fact, the files are called by php as it is now.  The files are changed every month, they are stored in year and month specific directories, and the file names have the month, year, and indicator (v1, I2, I3, S4 - there are a total of 13 files each month)  As it is right now, the video files are called by:

 

/video/<?php echo date(Y).'/'.date(F).'/'.date(Y).'_'.date(F).'_v'.$v.'.flv';?>

 

which renders as

 

/video/2009/August/2009_August_v1.flv

 

for example... where $v is determined by $_GET in the referring link. Audio files are very similar, but doesn't use the variable at the end, instead, each link using the above and inserting it's own indicator at the end, like:

 

/audio/<?php echo date('Y').'/'.date('F').'/'.date('Y').'_'.date('F').'_I1.mp3';?>

 

which renders as

 

/audio/2009/August/2009_August_I1.mp3

 

for example... where "I1" is changed in each link (I2, I3, S1, S2, etc.)

 

Now, having said all that, this naming convention is not set in stone - meaning, it's not too late for me to reconfigure the whole thing. But what I'm not following in your post, is this... even using a $_GET param to call the file, wouldn't the file path still be visible on the output.php page?  I mean, if you loaded that page then clicked "view source" wouldn't you see the full path in there somewhere?  If not, how would the page know what file to display without a path (even a dynamically generated one) somewhere in the code?

[haku]

Put the files outside your webroot directory. So if your webroot is public_html, you put them above that. Then build a php script that calls the file from the absolute path (which has access to files outside the webroot) and serve it up. That way they can only get the file using the php script, not by direct access. Then build something into your php script to make sure that they have permission to download the files.

[Mardoxx]

find a copy of a commercial upload script and have a look at how they manage it.

 

Don't copy the code however, just look at it for ideas...

 

you can't copyright an idea

 

http://rapidlibrary.com/index.php?q=xtraupload

[DjMikeWatt]

Put the files outside your webroot directory. So if your webroot is public_html, you put them above that. Then build a php script that calls the file from the absolute path (which has access to files outside the webroot) and serve it up. That way they can only get the file using the php script, not by direct access. Then build something into your php script to make sure that they have permission to download the files.

 

This sounds like it makes sense... now I just have to make sure I'm following.

 

My hosting account is on a shared server.  My hosting accounts root lives at "http://wattproductions.com" - On the actual server, that "root" is actually at

/home/content/d/j/m/[username]/html/

 

Now, I don't have access to anything above the "wattproductions.com" level - everything above "html" is out of range for me. This site I'm working on, however, uses domain aliasing - so it lives at "radioimaging101.com", which is in reality, at:

wattproductions.com/sites/imaging101/

 

Can I use the same principle to place them simply above the /imaging101 directory, which is the http_root of this site?

[Mardoxx]

hmmm

 

what about owner/admin rw and guest gets no access to folder+files in it

script gets file from that directory (server side) and sends it to the user - that must be possible some how!

 

unless script copies file from location that is protected and then sends temporary download link to user - I can't think

[DjMikeWatt]

Yeah, I'm actually really surprised that Apache doesn't have a simple solution for this, it seems like a very reasonable and common thing to want to do... "if a request for files in [media_directory], deny access unless request originates from [my_page.php].

 

I'm not trying to keep out hackers and professionals, just the average people who would be on the site...

[Mardoxx]

ahhh

 

have a look at this

 

http://www.zubrag.com/scripts/download.php

 

so THAT'S how it's done

 

reads file contents bit by bit then outputs to browser as content

 

and I you could edit this so instead of searching it could get file names form an array so only certain files can be downloaded

 

cool!

[DjMikeWatt]

I think I may have a fairly simple solution to this.

 

I'll use MD5 to encrypt the file name, much like I do with passwords.  Have the page call the DB value, which will always be the long, 32 character encrypted string.  So, even IF people go in to view source and try to see what's back there, they'll only have the path and some long random file name that wouldn't help in deducing what other files' names might be.

 

I like it - feels very simple. I'm gonna give it a shot, but in the meantime, anyone think of any reason why this isn't go to work as expected?

 

(This thread should probably be moved to server side/php now... ?)

[haku]

Use sha1() instead of md5() - md5() has to some degree been reverse engineered, so people may occasionally be able to figure out your filenames. Also, add a salt to the filename before encrypting it.

[DjMikeWatt]

Add a salt? I'm not sure what that means... (also could be because of my current state of... being at the moment. :-P

[stublackett]

Just spotted this topic through the Forum Search. Did you manage to get an solution? I'm looking for some sort of similar idea, This will be for audio books. We've discussed md5'ing the URL String.

 

Has anyone managed to get a subscription service running? I'm considering changing the site we've made over to a possible shopping cart? Any suggestions appreciated.

 

Thanks

[merylvingien]

I think this shopping cart solution deals with downloads, will save a whole load of pissing about trying to code your own!

 

http://www.opencart.com/