How to block a video from being accessed via url?

[Chrisj]

When I play a video (that is blocked from being downloaded as a file from a php web script player that I'm using) I can see the url address of the file from my PC in dev tools > networking > media, Is there a way to block or scramble the video's url from being available to be copied? If not, is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url?

[requinix]

The browser and the user are indistinguishable. There is no way to hide the video from the user but still allow the browser to get it.

[Chrisj]

Thanks for your reply,  is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url?

[Chrisj]

Or is there a way to keep the /videos/ folder from being available unless a potential viewer is logged-in to the web site?

[requinix]

Sure: don't make the video files publicly-accessible, and instead route them through a PHP script.

[Chrisj]

Thanks for your reply. Can you give me an example of that type of script?

[gw1500se]

It will be more than just a script. You will need to set up a database as well to store the user login information. Try reading this to start.

[requinix]

An example? Don't have one. But they're straightforward:

<?php

if the user is not logged in {
    http_response_code(403);
    exit;
}

if the requested video does not exist {
    http_response_code(404);
    exit;
}

if the user does not have access to the video {
    http_response_code(403);
    exit;
}

$file = the path to the video file on the server
if somehow the file does not exist {
    http_response_code(404);
    exit;
}

header("Content-Type: the mime type of the video which you should already know");
header("Content-Length: " . filesize($file));
readfile($file);

Beyond that you should try to support caching and request ranges, but this works at a minimum.

[benanamen]

 

@gw1500se, there are numerous issues with the tutorial you linked to. It is a very bad example to learn from or use as a reference.

Edited October 1, 2019 by benanamen

[gw1500se]

I'll cross that off.

[Chrisj]

How about something like this:

RewriteEngine OnRewriteCond %{REQUEST_URI} \.(mp4)$ [NC]
RewriteRule ^ validate.php?request_url=%{REQUEST_URI} [L]
# To disable or prevent the directory access/listing
Options -Indexes

with this validate.php?:

<?phpsession_start();
if (!isset($_SESSION['login'])) {
header ('Location: index.php');
exit();
} else {
// Get server document root
$document_root = $_SERVER['DOCUMENT_ROOT'];
// Get request URL from .htaccess
$request_url = $_GET['request_url'];
// Get file name only
$filename = basename($request_url);
// Set headers
header('Content-type: application/mp4');
header('Content-Disposition: inline; filename='.$filename);
// Output file content
@readfile($document_root.$request_url);
}

I look forward to any additional guidance/comments/suggestions

 

[requinix]

1. REQUEST_URI is the whole thing. Path and query string. Test the REQUEST_FILENAME instead.
2. As such it's thoroughly untrustworthy when it comes to you thinking it's a filename. Don't.
3. Super unsafe validate.php would allow people to download any file from your website. Video. Image. PHP script.

[Zane]

Wherever you generate your link to the video at, you'll need to add a hash to a database.  The generated link should pass a GET parameter with the hash.

http://mymp4.com?validate.php?video=40f677a45113eb829e345d278b8d1d31

Then, access your database and look for that hash.  If it exists, delete it and output the video using the code that's already been provided in this post.  That's probably the most minimalist way that I can think of.  You could just skip the database altogether and store the hash in a txt file that's not publicly accessible.  Same concept.

Here's an example.

In this case, the hash is the name of the file.

A video will download the first time, but when you try to access it again with the same link, it fails.

<?php
$v = $_GET['video'] ?? null;

if(file_exists($v)) {
	unlink($v);
	header('Content-type: application/mp4');
	header('Content-Disposition: inline; filename=video.mp4');    
	readfile("./mytestvideoo.mp4");    
} else
   http_response_code(404);

This isn't secure whatsoever, so I wouldn't just copy and paste this.  People could essentially just type in the name of one of your files and it would be deleted.

[Chrisj]

Thanks for your reply,

i like a lot of what you explained, but because I’m learning as I go here, I don’t understand the term “hash” and also generating a GET parameter with the hash. I would welcome any additional explanation/elaboration/example that you’d like to share.

[Zane]

//Generate the link

$normalText = "this is just your average string with words and stuff";

$hashedText = md5($normalText);

fopen($hashedTest, 'w');

echo "<a href='validate.php?video={$hashedText}'>Link to the video</a>

This generates a file named 06d5f7c7c17f15f1b28374b16c64e38d, and a link to validate.php?video=06d5f7c7c17f15f1b28374b16c64e38d

Then, on validate.php, you'd use the concept I put in my last post.

 

 

[Chrisj]

Much thanks again. I have also looked into X-SENDFILE. 

Can you share why you may think the hash solution posted above might be better than X-SENDFILE solution?

I look forward to any comments.

[requinix]

50 minutes ago, Chrisj said:

Much thanks again. I have also looked into X-SENDFILE. 

Can you share why you may think the hash solution posted above might be better than X-SENDFILE solution?

🍎 🍎 🍎 

🍊 🍊 🍊

 

[Chrisj]

???

[requinix]

Apples and oranges.

X-Sendfile is a way to have your web server send a file to the client. Apples.

The hash is a way to identify which video to use for a particular user. Oranges.

[Chrisj]

Thanks for your reply.

Which one would work best for my request: " Is there a way to block or scramble the video's url from being available to be copied? If not, is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url?"

[requinix]

2 hours ago, Chrisj said:

Thanks for your reply.

Which one would work best for my request: " Is there a way to block or scramble the video's url from being available to be copied? If not, is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url?"

Apples and oranges. If you at all understood what each one did then you should be able to answer your own question by virtue of the fact that only one of them is actually relevant to your question.

As for an answer to that question, read this thread.

[Chrisj]

Thanks for your reply, but I've looked it over and am looking for feedback from higher skilled people than me

[requinix]

You've gotten feedback. Lots of it. Including feedback when you asked me for help over PM.

I still say the hash is unnecessary, but if you want to use it then go ahead and use it in order to identify which video your script should be displaying. That's a completely separate issue from whether you use X-Sendfile or not. Neither of those will "scramble" the URL so it cannot be copied, but as long as your PHP script checks then it's perfectly capable of ensuring that only logged-in users can see the video (which has nothing to do with whether you use a hash or not).

[Chrisj]

Thanks for your reply.

I don't understand what you mean by "and use it in order to identify which video your script should be displaying"

[requinix]

What words in there do you not understand?