How can I protect my media files from being view directly ?
Moderator: General Moderators
Common protection against hotlinking is simply checking the "referrer" gotten in the headers... if it says another site, (or perhaps nothing at all, unsafe) it means it is hotlinked.
This is the technique most commonly used I believe.
However, you could also use sessions, that, when ever a page is viewed on your site you start a session that says files can be downloaded... and when they access resources the session is checked for that. As such they cannot download hotlinked files before accessing your site.
So no, protection against hotlinking doesn't require DRM or other fancy stuff, apply restrictions where they are needed, and DRM is NOT needed, and doesn't really protect against hotlinking, both solutions above should work perfectly fine. The latter being even more secure and controllable.
EDIT... or do you really mean hiding the files from the public so that files can only be downloaded without "your" permission?
This is the technique most commonly used I believe.
However, you could also use sessions, that, when ever a page is viewed on your site you start a session that says files can be downloaded... and when they access resources the session is checked for that. As such they cannot download hotlinked files before accessing your site.
So no, protection against hotlinking doesn't require DRM or other fancy stuff, apply restrictions where they are needed, and DRM is NOT needed, and doesn't really protect against hotlinking, both solutions above should work perfectly fine. The latter being even more secure and controllable.
EDIT... or do you really mean hiding the files from the public so that files can only be downloaded without "your" permission?
- aerodromoi
- Forum Contributor
- Posts: 230
- Joined: Sun May 07, 2006 5:21 am
There is often a quite simple explanation for a nonexistent referrer: Privacy tools.Syranide wrote:Common protection against hotlinking is simply checking the "referrer" gotten in the headers... if it says another site, (or perhaps nothing at all, unsafe) it means it is hotlinked.
I don't have any figures at my fingertips right now, but I wouldn't just say "tough luck" to those who've got this kind of software installed.
It's just a guess - but it makes sense in case we're talking about a flash player integrated into his website (streaming mp3s).Syranide wrote:EDIT... or do you really mean hiding the files from the public so that files can only be downloaded without "your" permission?
aerodromoi
- daedalus__
- DevNet Resident
- Posts: 1925
- Joined: Thu Feb 09, 2006 4:52 pm
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Your not stupid, many people to do this for images although it is definantly as poor choice to do so. Databases are not neccesarily meant for storing files, thats what a filesystem is for. Using a database is infact much slower and creates a lot of unneccsary overhead, especially for movies and mp3 and such.Daedalus- wrote:Now, I don't want to sound stupid but..
You could store some things as binary data in a database and then use scripts to build and output the files, couldn't you?
Then you just make them authinticate in order to view the script..
- aerodromoi
- Forum Contributor
- Posts: 230
- Joined: Sun May 07, 2006 5:21 am
- daedalus__
- DevNet Resident
- Posts: 1925
- Joined: Thu Feb 09, 2006 4:52 pm
Can't he just write a script that builds a relative link and then forces a download?
I thought that's what alot of sites that don't want files linked directly do.
You should e-mail the girl who runs Home of the Underdogs, I think that they have a great way of doing it.
http://www.the-underdogs.info/
I always wondered what she looks like. ^^
I thought that's what alot of sites that don't want files linked directly do.
You should e-mail the girl who runs Home of the Underdogs, I think that they have a great way of doing it.
http://www.the-underdogs.info/
I always wondered what she looks like. ^^
- aerodromoi
- Forum Contributor
- Posts: 230
- Joined: Sun May 07, 2006 5:21 am
Just imagine that you're serving your files via a php - script.quocbao wrote:Can you tell me whyaerodromoi wrote:Security through obscurity doesn't always work...
Unfortunately, you're script does not change the filename and you have not put a htaccess file in the download directory.
One day, joe blog enters the url www. yourunknowndomain. com/download/filename and (open end)
Greetings,
aerodromoi
This is called "A tale of two banks".quocbao wrote:Can you tell me whyaerodromoi wrote:Security through obscurity doesn't always work...
Bank 1 hides its customers money in the middle of a desert. It doesn't put it in a safe, it doesn't have guards, it doesn't even bother to keep track of how much money it has. No one is even standing by the money to make sure it is still there. No one can get the money because its "hidden" in an "obscure" location.
Bank 2 puts its customers money right in plain view. You walk in their front door (past an armed security guard), under the 24 hour security cameras, and stare into the 12-inch thick metal vault to see millions of dollars - all in safe deposit boxes, locked containers, and holding cells with laser detectors.
A thief finds out the location of both.
Which would you want your money in?
When obscurity fails, true security becomes incredibly valuable.
im also having the same problem on my site - i had over 40gb of bandwidth stolen last month (damn mp3s!) and probably increasing amounts every month before that.
Ive tried .htaccess which has caused lots of problems with legitimate users not being able to get the files, and ive yet to find something secure enough that blocks "outside" users from the getting to the files...
The search continues....
Ive tried .htaccess which has caused lots of problems with legitimate users not being able to get the files, and ive yet to find something secure enough that blocks "outside" users from the getting to the files...
The search continues....
- aerodromoi
- Forum Contributor
- Posts: 230
- Joined: Sun May 07, 2006 5:21 am
I'd put the files in a htaccess protected directory. All users who'd like to download a file have to use a php script which functions as an intermediary (and allows for login routines), using the header and readfile functions.bonkerz wrote:im also having the same problem on my site - i had over 40gb of bandwidth stolen last month (damn mp3s!) and probably increasing amounts every month before that.
Ive tried .htaccess which has caused lots of problems with legitimate users not being able to get the files, and ive yet to find something secure enough that blocks "outside" users from the getting to the files...
The search continues....
aerodromoi