Jump to content

Block Direct Access to files


svgmx5

Recommended Posts

The issue i'm having is that i have several audio files that i don't want to allow anyone else to gain access to them. Each file is in a separate folder inside a main folder, that i'll call "download" for now. So "download" has several other directories, and inside each directory are audio files.

 

Those audio files are played with in a web app on the system. The issue is that right now anyone can type in the full address of the file "localhost.com/download/dir/file.mp3" and play the audio file. This is what i want to prevent from happening, i want those files to only stream when they are access or streamed from our application.

 

I tried the following on the .htaccess file

 

deny from all

This just returned an 403 forbidden page, but i was unable to stream the file from the application

 

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)localhost.com/.*$ [NC]
RewriteRule \.(mp3|wav)$ - [F]

 

This just disabled the stream all together did not return a 403 or anything it just did not stream from neither the application or direct access

 

Finally i'm using ajax to call the script that holds the files to be streamed, could this be the issue? are there any options i can use?

 

Thanks in advanced

Link to comment
Share on other sites

It is impossible to prevent the user from accessing those files: in order to hear them they have to be downloaded to the user's computer. The best you can do is encrypt the files and decrypt them in the player. But even then the player could be reverse-engineered and someone could discover the encryption key and algorithm.

Link to comment
Share on other sites

Ok so i think i got this issue taken care off. What i did was put all the files outside the root folder and i created a PHP script to stream them. So now all i do is use the <audio> tag and use a url that looks like this "streamtest.phpf?file=file123.mp3" this seems to do the job for now.

Link to comment
Share on other sites

True that, but the way the site is set up is that the user has to log in to access the files. So i set it up in a way where it checks if the user has an active session along with a few more things in order to only allow the user who is already logged in access to stream the file. At this point that's the best i can do, i realize that nothing on the net is safe, but i feel that for the average user this will work for now. Of course if anyone else has any other suggestions on what else i can do i'm all ears

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.