How can I protect my media files from being view directly ?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

KENT
Forum Newbie
Posts: 8
Joined: Sat Mar 11, 2006 1:02 am

How can I protect my media files from being view directly ?

Post by KENT »

Hello,
I hope you guys understand my problem here. I plan to make a music website but dont want them to download my media files and hotlinking my files on somewhere.

To protect hotlinking: I used .htaccess and it seems to be work well.

But how to protect them from being downloaded or view directly ?
// Sorry for the english .. :(

Hope you can help me out :oops:
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

Doesn't hotlinking protection cover that? :?
KENT
Forum Newbie
Posts: 8
Joined: Sat Mar 11, 2006 1:02 am

Post by KENT »

:(
If you use a downloader to download the data . .htaccess will not work in this case. Because .htaccess check for the right referer and while downloader can catch the referer url given by browser.

My problem is how to make the data cant be downloaded and view directly :?
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

If you (want to) require being logged in, use a downloader script that can check the session data to verify they are logged in. It's not foolproof as being logged in can be "faked" to a degree.

As for downloaders, there's not many ways around that. They often send known, standard, user-agents (last I saw) so it'd be quite difficult to tell if something is a downloader or not. You can make their life more painful by limiting the number of files they can download at a time (using session data again) however knowing if they've fully downloaded the file can be another story (although possible)

You can also deny multiple log ins (with a timeout kill on older log ins) ... But overall, if they can link to it, they can download it.
KENT
Forum Newbie
Posts: 8
Joined: Sat Mar 11, 2006 1:02 am

Post by KENT »

:(
It seems that i'm trying to solve one of the most difficult problem. In reality, there are few site can protect their data from being downloaded. The way you pointed at is so interesting to me.

My client required me to code a data-protected website and my head is dizzy
AGISB
Forum Contributor
Posts: 422
Joined: Fri Jul 09, 2004 1:23 am

Post by AGISB »

The only solution is: DRM (Digital Rights Management)
KENT
Forum Newbie
Posts: 8
Joined: Sat Mar 11, 2006 1:02 am

Post by KENT »

Thank you for your help, AGISB
But does DRM support every media extensions ? Is it possible way if my files are ringtones ?
timvw
DevNet Master
Posts: 4897
Joined: Mon Jan 19, 2004 11:11 pm
Location: Leuven, Belgium

Post by timvw »

Imho, the most important question would be: Do my customers have hardware that can enforce DRM?

If you don't want people to immediately download files, you shouldn't place them online.
Second option is to offer them through a download script (files outside of public_html directory) where you test if they meet a couple of requirements:
- logged_in? Only offering a download to a user that can be billed for it seems like a good idea :)
- acceptable useragent string in the header? doesn't seem like a good idea.. as long as the customer pays, does it really matter he drives a rolls or a toyota?
- ...
KENT
Forum Newbie
Posts: 8
Joined: Sat Mar 11, 2006 1:02 am

Post by KENT »

:( DRM seems now to be a difficulty as it required things on client side.
Maybe, using the solution that using a download script to read data from outside public_html is a good idea.
alex.barylski
DevNet Evangelist
Posts: 6267
Joined: Tue Dec 21, 2004 5:00 pm
Location: Winnipeg

Post by alex.barylski »

feyd wrote:If you (want to) require being logged in, use a downloader script that can check the session data to verify they are logged in. It's not foolproof as being logged in can be "faked" to a degree.

As for downloaders, there's not many ways around that. They often send known, standard, user-agents (last I saw) so it'd be quite difficult to tell if something is a downloader or not. You can make their life more painful by limiting the number of files they can download at a time (using session data again) however knowing if they've fully downloaded the file can be another story (although possible)

You can also deny multiple log ins (with a timeout kill on older log ins) ... But overall, if they can link to it, they can download it.
Thats possible using PHP? I've read breifly about it, but never paid attention...

Now i'm interested...can you explain the basics??

Make a tutorial out of it ;)
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

It's somewhat painful, and is likely server dependant, but should be possible through the use of a loop and checking connection_status() and its sibling functions. Although I have not thoroughly tested it across multiple servers and configurations. The concept works off of setting a flag if the connection gets aborted by the user. It may help to register a shutdown function. See here for more details: http://php.net/features.connection-handling
KENT
Forum Newbie
Posts: 8
Joined: Sat Mar 11, 2006 1:02 am

misled

Post by KENT »

my topic is misled. Anyone has any idea to solve my problem ? I found that with ASP.NET we can something easily to forbid a user access to a file. Can PHP do this also ?

What should I do if i want to restrict/deny a user download my files ? :cry:

--
again, sorry for the english
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Don't host them within the webroot - use a PHP file to stream the file to legitimate logged in users. What could be more simple?
judas_iscariote
Forum Newbie
Posts: 2
Joined: Mon Mar 27, 2006 9:48 pm

Post by judas_iscariote »

you need something like PEAR HTTP_Download and store your files outside the document root, the rest can be controlled via an authentication process, and it's not too painful. :wink:
User avatar
aerodromoi
Forum Contributor
Posts: 230
Joined: Sun May 07, 2006 5:21 am

Post by aerodromoi »

judas_iscariote wrote:you need something like PEAR HTTP_Download and store your files outside the document root, the rest can be controlled via an authentication process, and it's not too painful. :wink:
Assuming this thread is still open - why don't you protect your files with a htaccess file, thus forcing
the user to load the files via a php script?

aerodromoi

for the htaccess file

Code: Select all

<FILESMATCH "\.mp3$">
     order deny,allow
     deny from all
</FILESMATCH>
Post Reply