Jump to content

Block access to media files?


DjMikeWatt

Recommended Posts

Hi there... Having a hard time finding the best answer to this.

 

I'm working on a site that allows access to media files (mp3|flv) through the site. The site is a subscription service and uses php sessions to authenticate users. All pages that contain media files are protected and require authentication for access.

 

The problem is, if you subscribe for just a short time you would be able to figure out our naming conventions and paths to media (follow date structured directories). How can I prevent the file from being served outside of a particular page asking for it? Even more so, I need the paid users to be able to right-click save-as from that page, but still block access to anyone else trying to access it.

 

I've looked into mod_rewrites and from what I understand that would only be effective against hot-linkers, but wouldn't do anything to stop someone from just typing into their browser: http://mysite.com/media/2009/August/media_file.flv

 

I know there must be a way to do this, but I just don't know where to begin.

 

Any help is much appreciated.

Link to comment
Share on other sites

You need to dynamically output the files using a server side scripting language, such as php.

 

The link to the file would be http://mysite.com/output.php?file=xyz

 

The file output.php (or whatever name you choose for it) would take the $_GET['file'] value and output the actual file that corresponds to that value. The actual value xyz can be just about anything you want that relates to the actual media file, you could even generate unique values for each member/media file so that you know by the value which member the link was originally produced for. This will allow you to move your existing files to a folder that is outside your document root folder (closer to the disk root) so that anyone knowing the existing scheme can no longer access the files.

 

The file output.php also needs to check the $_SESSION variable that says the current visitor is logged in and is authorized to access the specific media file.

Link to comment
Share on other sites

I'm trying to follow you here... not quite there yet.

 

I do use php, in fact, the files are called by php as it is now.  The files are changed every month, they are stored in year and month specific directories, and the file names have the month, year, and indicator (v1, I2, I3, S4 - there are a total of 13 files each month)  As it is right now, the video files are called by:

 

/video/<?php echo date(Y).'/'.date(F).'/'.date(Y).'_'.date(F).'_v'.$v.'.flv';?>

 

which renders as

 

/video/2009/August/2009_August_v1.flv

 

for example... where $v is determined by $_GET in the referring link. Audio files are very similar, but doesn't use the variable at the end, instead, each link using the above and inserting it's own indicator at the end, like:

 

/audio/<?php echo date('Y').'/'.date('F').'/'.date('Y').'_'.date('F').'_I1.mp3';?>

 

which renders as

 

/audio/2009/August/2009_August_I1.mp3

 

for example... where "I1" is changed in each link (I2, I3, S1, S2, etc.)

 

Now, having said all that, this naming convention is not set in stone - meaning, it's not too late for me to reconfigure the whole thing. But what I'm not following in your post, is this... even using a $_GET param to call the file, wouldn't the file path still be visible on the output.php page?  I mean, if you loaded that page then clicked "view source" wouldn't you see the full path in there somewhere?  If not, how would the page know what file to display without a path (even a dynamically generated one) somewhere in the code?

Link to comment
Share on other sites

Put the files outside your webroot directory. So if your webroot is public_html, you put them above that. Then build a php script that calls the file from the absolute path (which has access to files outside the webroot) and serve it up. That way they can only get the file using the php script, not by direct access. Then build something into your php script to make sure that they have permission to download the files.

Link to comment
Share on other sites

Put the files outside your webroot directory. So if your webroot is public_html, you put them above that. Then build a php script that calls the file from the absolute path (which has access to files outside the webroot) and serve it up. That way they can only get the file using the php script, not by direct access. Then build something into your php script to make sure that they have permission to download the files.

 

This sounds like it makes sense... now I just have to make sure I'm following.

 

My hosting account is on a shared server.  My hosting accounts root lives at "http://wattproductions.com" - On the actual server, that "root" is actually at

/home/content/d/j/m/[username]/html/

 

Now, I don't have access to anything above the "wattproductions.com" level - everything above "html" is out of range for me. This site I'm working on, however, uses domain aliasing - so it lives at "radioimaging101.com", which is in reality, at:

wattproductions.com/sites/imaging101/

 

Can I use the same principle to place them simply above the /imaging101 directory, which is the http_root of this site?

Link to comment
Share on other sites

hmmm

 

what about owner/admin rw and guest gets no access to folder+files in it

script gets file from that directory (server side) and sends it to the user - that must be possible some how!

 

unless script copies file from location that is protected and then sends temporary download link to user - I can't think

Link to comment
Share on other sites

Yeah, I'm actually really surprised that Apache doesn't have a simple solution for this, it seems like a very reasonable and common thing to want to do... "if a request for files in [media_directory], deny access unless request originates from [my_page.php].

 

I'm not trying to keep out hackers and professionals, just the average people who would be on the site...

Link to comment
Share on other sites

I think I may have a fairly simple solution to this.

 

I'll use MD5 to encrypt the file name, much like I do with passwords.  Have the page call the DB value, which will always be the long, 32 character encrypted string.  So, even IF people go in to view source and try to see what's back there, they'll only have the path and some long random file name that wouldn't help in deducing what other files' names might be.

 

I like it - feels very simple. I'm gonna give it a shot, but in the meantime, anyone think of any reason why this isn't go to work as expected?

 

(This thread should probably be moved to server side/php now... ?)

Link to comment
Share on other sites

Use sha1() instead of md5() - md5() has to some degree been reverse engineered, so people may occasionally be able to figure out your filenames. Also, add a salt to the filename before encrypting it.

Link to comment
Share on other sites

  • 1 year later...

Just spotted this topic through the Forum Search. Did you manage to get an solution? I'm looking for some sort of similar idea, This will be for audio books. We've discussed md5'ing the URL String.

 

Has anyone managed to get a subscription service running? I'm considering changing the site we've made over to a possible shopping cart? Any suggestions appreciated.

 

Thanks :)

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.