Jump to content
Chrisj

How to block a video from being accessed via url?

Recommended Posts

When I play a video (that is blocked from being downloaded as a file from a php web script player that I'm using) I can see the url address of the file from my PC in dev tools > networking > media, Is there a way to block or scramble the video's url from being available to be copied? If not, is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url?

Share this post


Link to post
Share on other sites

The browser and the user are indistinguishable. There is no way to hide the video from the user but still allow the browser to get it.

Share this post


Link to post
Share on other sites

Thanks for your reply,  is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url?

Share this post


Link to post
Share on other sites

Or is there a way to keep the /videos/ folder from being available unless a potential viewer is logged-in to the web site?

Share this post


Link to post
Share on other sites

Sure: don't make the video files publicly-accessible, and instead route them through a PHP script.

Share this post


Link to post
Share on other sites

Thanks for your reply. Can you give me an example of that type of script?

Share this post


Link to post
Share on other sites

It will be more than just a script. You will need to set up a database as well to store the user login information. Try reading this to start.

Share this post


Link to post
Share on other sites

An example? Don't have one. But they're straightforward:

<?php

if the user is not logged in {
    http_response_code(403);
    exit;
}

if the requested video does not exist {
    http_response_code(404);
    exit;
}

if the user does not have access to the video {
    http_response_code(403);
    exit;
}

$file = the path to the video file on the server
if somehow the file does not exist {
    http_response_code(404);
    exit;
}

header("Content-Type: the mime type of the video which you should already know");
header("Content-Length: " . filesize($file));
readfile($file);

Beyond that you should try to support caching and request ranges, but this works at a minimum.

Share this post


Link to post
Share on other sites
Posted (edited)

 

@gw1500se, there are numerous issues with the tutorial you linked to. It is a very bad example to learn from or use as a reference.

Edited by benanamen

Share this post


Link to post
Share on other sites

How about something like this:

RewriteEngine OnRewriteCond %{REQUEST_URI} \.(mp4)$ [NC]
RewriteRule ^ validate.php?request_url=%{REQUEST_URI} [L]
# To disable or prevent the directory access/listing
Options -Indexes

with this validate.php?:

<?phpsession_start();
if (!isset($_SESSION['login'])) {
header ('Location: index.php');
exit();
} else {
// Get server document root
$document_root = $_SERVER['DOCUMENT_ROOT'];
// Get request URL from .htaccess
$request_url = $_GET['request_url'];
// Get file name only
$filename = basename($request_url);
// Set headers
header('Content-type: application/mp4');
header('Content-Disposition: inline; filename='.$filename);
// Output file content
@readfile($document_root.$request_url);
}

I look forward to any additional guidance/comments/suggestions

 

Share this post


Link to post
Share on other sites

1. REQUEST_URI is the whole thing. Path and query string. Test the REQUEST_FILENAME instead.
2. As such it's thoroughly untrustworthy when it comes to you thinking it's a filename. Don't.
3. Super unsafe validate.php would allow people to download any file from your website. Video. Image. PHP script.

Share this post


Link to post
Share on other sites

Wherever you generate your link to the video at, you'll need to add a hash to a database.  The generated link should pass a GET parameter with the hash.

http://mymp4.com?validate.php?video=40f677a45113eb829e345d278b8d1d31

Then, access your database and look for that hash.  If it exists, delete it and output the video using the code that's already been provided in this post.  That's probably the most minimalist way that I can think of.  You could just skip the database altogether and store the hash in a txt file that's not publicly accessible.  Same concept.

Here's an example.

In this case, the hash is the name of the file.

A video will download the first time, but when you try to access it again with the same link, it fails.

<?php
$v = $_GET['video'] ?? null;

if(file_exists($v)) {
	unlink($v);
	header('Content-type: application/mp4');
	header('Content-Disposition: inline; filename=video.mp4');    
	readfile("./mytestvideoo.mp4");    
} else
   http_response_code(404);

This isn't secure whatsoever, so I wouldn't just copy and paste this.  People could essentially just type in the name of one of your files and it would be deleted.

Share this post


Link to post
Share on other sites

Thanks for your reply,

i like a lot of what you explained, but because I’m learning as I go here, I don’t understand the term “hash” and also generating a GET parameter with the hash. I would welcome any additional explanation/elaboration/example that you’d like to share.

Share this post


Link to post
Share on other sites
//Generate the link

$normalText = "this is just your average string with words and stuff";

$hashedText = md5($normalText);

fopen($hashedTest, 'w');

echo "<a href='validate.php?video={$hashedText}'>Link to the video</a>

This generates a file named 06d5f7c7c17f15f1b28374b16c64e38d, and a link to validate.php?video=06d5f7c7c17f15f1b28374b16c64e38d

Then, on validate.php, you'd use the concept I put in my last post.

 

 

Share this post


Link to post
Share on other sites

Much thanks again. I have also looked into X-SENDFILE. 

Can you share why you may think the hash solution posted above might be better than X-SENDFILE solution?

I look forward to any comments.

Share this post


Link to post
Share on other sites
50 minutes ago, Chrisj said:

Much thanks again. I have also looked into X-SENDFILE. 

Can you share why you may think the hash solution posted above might be better than X-SENDFILE solution?

🍎 🍎 🍎 

🍊 🍊 🍊

 

  • Haha 1

Share this post


Link to post
Share on other sites

Apples and oranges.

X-Sendfile is a way to have your web server send a file to the client. Apples.

The hash is a way to identify which video to use for a particular user. Oranges.

Share this post


Link to post
Share on other sites

Thanks for your reply.

Which one would work best for my request: " Is there a way to block or scramble the video's url from being available to be copied? If not, is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url?"

Share this post


Link to post
Share on other sites
2 hours ago, Chrisj said:

Thanks for your reply.

Which one would work best for my request: " Is there a way to block or scramble the video's url from being available to be copied? If not, is there a way to have that url be available only if the potential viewer is 'logged-in' to the web site? Or some type of authentication based on checking for a user's PHP temp session file before allowing access from the video's url?"

Apples and oranges. If you at all understood what each one did then you should be able to answer your own question by virtue of the fact that only one of them is actually relevant to your question.

As for an answer to that question, read this thread.

Share this post


Link to post
Share on other sites

Thanks for your reply, but I've looked it over and am looking for feedback from higher skilled people than me

Share this post


Link to post
Share on other sites

You've gotten feedback. Lots of it. Including feedback when you asked me for help over PM.

I still say the hash is unnecessary, but if you want to use it then go ahead and use it in order to identify which video your script should be displaying. That's a completely separate issue from whether you use X-Sendfile or not. Neither of those will "scramble" the URL so it cannot be copied, but as long as your PHP script checks then it's perfectly capable of ensuring that only logged-in users can see the video (which has nothing to do with whether you use a hash or not).

Share this post


Link to post
Share on other sites

Thanks for your reply.

I don't understand what you mean by "and use it in order to identify which video your script should be displaying"

Share this post


Link to post
Share on other sites

What words in there do you not understand?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.