Chrisj Posted October 1, 2019 Share Posted October 1, 2019 When I play a video (that is blocked from being downloaded as a file from a php web script player that I'm using) I can see the url address of the file from my PC in dev tools > networking > media, Is there a way to block or scramble the video's url from being available to be copied? If not, is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url? Quote Link to comment Share on other sites More sharing options...
requinix Posted October 1, 2019 Share Posted October 1, 2019 The browser and the user are indistinguishable. There is no way to hide the video from the user but still allow the browser to get it. Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 1, 2019 Author Share Posted October 1, 2019 Thanks for your reply, is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url? Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 1, 2019 Author Share Posted October 1, 2019 Or is there a way to keep the /videos/ folder from being available unless a potential viewer is logged-in to the web site? Quote Link to comment Share on other sites More sharing options...
requinix Posted October 1, 2019 Share Posted October 1, 2019 Sure: don't make the video files publicly-accessible, and instead route them through a PHP script. Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 1, 2019 Author Share Posted October 1, 2019 Thanks for your reply. Can you give me an example of that type of script? Quote Link to comment Share on other sites More sharing options...
gw1500se Posted October 1, 2019 Share Posted October 1, 2019 It will be more than just a script. You will need to set up a database as well to store the user login information. Try reading this to start. Quote Link to comment Share on other sites More sharing options...
requinix Posted October 1, 2019 Share Posted October 1, 2019 An example? Don't have one. But they're straightforward: <?php if the user is not logged in { http_response_code(403); exit; } if the requested video does not exist { http_response_code(404); exit; } if the user does not have access to the video { http_response_code(403); exit; } $file = the path to the video file on the server if somehow the file does not exist { http_response_code(404); exit; } header("Content-Type: the mime type of the video which you should already know"); header("Content-Length: " . filesize($file)); readfile($file); Beyond that you should try to support caching and request ranges, but this works at a minimum. Quote Link to comment Share on other sites More sharing options...
benanamen Posted October 1, 2019 Share Posted October 1, 2019 (edited) @gw1500se, there are numerous issues with the tutorial you linked to. It is a very bad example to learn from or use as a reference. Edited October 1, 2019 by benanamen Quote Link to comment Share on other sites More sharing options...
gw1500se Posted October 1, 2019 Share Posted October 1, 2019 I'll cross that off. Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 2, 2019 Author Share Posted October 2, 2019 How about something like this: RewriteEngine OnRewriteCond %{REQUEST_URI} \.(mp4)$ [NC] RewriteRule ^ validate.php?request_url=%{REQUEST_URI} [L] # To disable or prevent the directory access/listing Options -Indexes with this validate.php?: <?phpsession_start(); if (!isset($_SESSION['login'])) { header ('Location: index.php'); exit(); } else { // Get server document root $document_root = $_SERVER['DOCUMENT_ROOT']; // Get request URL from .htaccess $request_url = $_GET['request_url']; // Get file name only $filename = basename($request_url); // Set headers header('Content-type: application/mp4'); header('Content-Disposition: inline; filename='.$filename); // Output file content @readfile($document_root.$request_url); } I look forward to any additional guidance/comments/suggestions Quote Link to comment Share on other sites More sharing options...
requinix Posted October 2, 2019 Share Posted October 2, 2019 1. REQUEST_URI is the whole thing. Path and query string. Test the REQUEST_FILENAME instead. 2. As such it's thoroughly untrustworthy when it comes to you thinking it's a filename. Don't. 3. Super unsafe validate.php would allow people to download any file from your website. Video. Image. PHP script. Quote Link to comment Share on other sites More sharing options...
Zane Posted October 2, 2019 Share Posted October 2, 2019 Wherever you generate your link to the video at, you'll need to add a hash to a database. The generated link should pass a GET parameter with the hash. http://mymp4.com?validate.php?video=40f677a45113eb829e345d278b8d1d31 Then, access your database and look for that hash. If it exists, delete it and output the video using the code that's already been provided in this post. That's probably the most minimalist way that I can think of. You could just skip the database altogether and store the hash in a txt file that's not publicly accessible. Same concept. Here's an example. In this case, the hash is the name of the file. A video will download the first time, but when you try to access it again with the same link, it fails. <?php $v = $_GET['video'] ?? null; if(file_exists($v)) { unlink($v); header('Content-type: application/mp4'); header('Content-Disposition: inline; filename=video.mp4'); readfile("./mytestvideoo.mp4"); } else http_response_code(404); This isn't secure whatsoever, so I wouldn't just copy and paste this. People could essentially just type in the name of one of your files and it would be deleted. Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 2, 2019 Author Share Posted October 2, 2019 Thanks for your reply, i like a lot of what you explained, but because I’m learning as I go here, I don’t understand the term “hash” and also generating a GET parameter with the hash. I would welcome any additional explanation/elaboration/example that you’d like to share. Quote Link to comment Share on other sites More sharing options...
Zane Posted October 2, 2019 Share Posted October 2, 2019 //Generate the link $normalText = "this is just your average string with words and stuff"; $hashedText = md5($normalText); fopen($hashedTest, 'w'); echo "<a href='validate.php?video={$hashedText}'>Link to the video</a> This generates a file named 06d5f7c7c17f15f1b28374b16c64e38d, and a link to validate.php?video=06d5f7c7c17f15f1b28374b16c64e38d Then, on validate.php, you'd use the concept I put in my last post. Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 2, 2019 Author Share Posted October 2, 2019 Much thanks again. I have also looked into X-SENDFILE. Can you share why you may think the hash solution posted above might be better than X-SENDFILE solution? I look forward to any comments. Quote Link to comment Share on other sites More sharing options...
requinix Posted October 2, 2019 Share Posted October 2, 2019 50 minutes ago, Chrisj said: Much thanks again. I have also looked into X-SENDFILE. Can you share why you may think the hash solution posted above might be better than X-SENDFILE solution? 🍎 🍎 🍎 🍊 🍊 🍊 1 Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 2, 2019 Author Share Posted October 2, 2019 ??? Quote Link to comment Share on other sites More sharing options...
requinix Posted October 2, 2019 Share Posted October 2, 2019 Apples and oranges. X-Sendfile is a way to have your web server send a file to the client. Apples. The hash is a way to identify which video to use for a particular user. Oranges. Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 2, 2019 Author Share Posted October 2, 2019 Thanks for your reply. Which one would work best for my request: " Is there a way to block or scramble the video's url from being available to be copied? If not, is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url?" Quote Link to comment Share on other sites More sharing options...
requinix Posted October 2, 2019 Share Posted October 2, 2019 2 hours ago, Chrisj said: Thanks for your reply. Which one would work best for my request: " Is there a way to block or scramble the video's url from being available to be copied? If not, is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url?" Apples and oranges. If you at all understood what each one did then you should be able to answer your own question by virtue of the fact that only one of them is actually relevant to your question. As for an answer to that question, read this thread. Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 2, 2019 Author Share Posted October 2, 2019 Thanks for your reply, but I've looked it over and am looking for feedback from higher skilled people than me Quote Link to comment Share on other sites More sharing options...
requinix Posted October 3, 2019 Share Posted October 3, 2019 You've gotten feedback. Lots of it. Including feedback when you asked me for help over PM. I still say the hash is unnecessary, but if you want to use it then go ahead and use it in order to identify which video your script should be displaying. That's a completely separate issue from whether you use X-Sendfile or not. Neither of those will "scramble" the URL so it cannot be copied, but as long as your PHP script checks then it's perfectly capable of ensuring that only logged-in users can see the video (which has nothing to do with whether you use a hash or not). Quote Link to comment Share on other sites More sharing options...
Chrisj Posted October 3, 2019 Author Share Posted October 3, 2019 Thanks for your reply. I don't understand what you mean by "and use it in order to identify which video your script should be displaying" Quote Link to comment Share on other sites More sharing options...
requinix Posted October 3, 2019 Share Posted October 3, 2019 What words in there do you not understand? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.