Jump to content

How to block a video from being accessed via url?


Chrisj

Recommended Posts

When I play a video (that is blocked from being downloaded as a file from a php web script player that I'm using) I can see the url address of the file from my PC in dev tools > networking > media, Is there a way to block or scramble the video's url from being available to be copied? If not, is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url?

Link to comment
Share on other sites

Thanks for your reply,  is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url?

Link to comment
Share on other sites

An example? Don't have one. But they're straightforward:

<?php

if the user is not logged in {
    http_response_code(403);
    exit;
}

if the requested video does not exist {
    http_response_code(404);
    exit;
}

if the user does not have access to the video {
    http_response_code(403);
    exit;
}

$file = the path to the video file on the server
if somehow the file does not exist {
    http_response_code(404);
    exit;
}

header("Content-Type: the mime type of the video which you should already know");
header("Content-Length: " . filesize($file));
readfile($file);

Beyond that you should try to support caching and request ranges, but this works at a minimum.

Link to comment
Share on other sites

How about something like this:

RewriteEngine OnRewriteCond %{REQUEST_URI} \.(mp4)$ [NC]
RewriteRule ^ validate.php?request_url=%{REQUEST_URI} [L]
# To disable or prevent the directory access/listing
Options -Indexes

with this validate.php?:

<?phpsession_start();
if (!isset($_SESSION['login'])) {
header ('Location: index.php');
exit();
} else {
// Get server document root
$document_root = $_SERVER['DOCUMENT_ROOT'];
// Get request URL from .htaccess
$request_url = $_GET['request_url'];
// Get file name only
$filename = basename($request_url);
// Set headers
header('Content-type: application/mp4');
header('Content-Disposition: inline; filename='.$filename);
// Output file content
@readfile($document_root.$request_url);
}

I look forward to any additional guidance/comments/suggestions

 

Link to comment
Share on other sites

1. REQUEST_URI is the whole thing. Path and query string. Test the REQUEST_FILENAME instead.
2. As such it's thoroughly untrustworthy when it comes to you thinking it's a filename. Don't.
3. Super unsafe validate.php would allow people to download any file from your website. Video. Image. PHP script.

Link to comment
Share on other sites

Wherever you generate your link to the video at, you'll need to add a hash to a database.  The generated link should pass a GET parameter with the hash.

http://mymp4.com?validate.php?video=40f677a45113eb829e345d278b8d1d31

Then, access your database and look for that hash.  If it exists, delete it and output the video using the code that's already been provided in this post.  That's probably the most minimalist way that I can think of.  You could just skip the database altogether and store the hash in a txt file that's not publicly accessible.  Same concept.

Here's an example.

In this case, the hash is the name of the file.

A video will download the first time, but when you try to access it again with the same link, it fails.

<?php
$v = $_GET['video'] ?? null;

if(file_exists($v)) {
	unlink($v);
	header('Content-type: application/mp4');
	header('Content-Disposition: inline; filename=video.mp4');    
	readfile("./mytestvideoo.mp4");    
} else
   http_response_code(404);

This isn't secure whatsoever, so I wouldn't just copy and paste this.  People could essentially just type in the name of one of your files and it would be deleted.

Link to comment
Share on other sites

Thanks for your reply,

i like a lot of what you explained, but because I’m learning as I go here, I don’t understand the term “hash” and also generating a GET parameter with the hash. I would welcome any additional explanation/elaboration/example that you’d like to share.

Link to comment
Share on other sites

//Generate the link

$normalText = "this is just your average string with words and stuff";

$hashedText = md5($normalText);

fopen($hashedTest, 'w');

echo "<a href='validate.php?video={$hashedText}'>Link to the video</a>

This generates a file named 06d5f7c7c17f15f1b28374b16c64e38d, and a link to validate.php?video=06d5f7c7c17f15f1b28374b16c64e38d

Then, on validate.php, you'd use the concept I put in my last post.

 

 

Link to comment
Share on other sites

Thanks for your reply.

Which one would work best for my request: " Is there a way to block or scramble the video's url from being available to be copied? If not, is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url?"

Link to comment
Share on other sites

2 hours ago, Chrisj said:

Thanks for your reply.

Which one would work best for my request: " Is there a way to block or scramble the video's url from being available to be copied? If not, is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url?"

Apples and oranges. If you at all understood what each one did then you should be able to answer your own question by virtue of the fact that only one of them is actually relevant to your question.

As for an answer to that question, read this thread.

Link to comment
Share on other sites

You've gotten feedback. Lots of it. Including feedback when you asked me for help over PM.

I still say the hash is unnecessary, but if you want to use it then go ahead and use it in order to identify which video your script should be displaying. That's a completely separate issue from whether you use X-Sendfile or not. Neither of those will "scramble" the URL so it cannot be copied, but as long as your PHP script checks then it's perfectly capable of ensuring that only logged-in users can see the video (which has nothing to do with whether you use a hash or not).

Link to comment
Share on other sites

This thread is more than a year old. Are you sure you have something important to add to it?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.