How can I protect my media files from being view directly ?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Syranide
Forum Contributor
Posts: 281
Joined: Fri May 20, 2005 3:16 pm
Location: Sweden

Post by Syranide »

Common protection against hotlinking is simply checking the "referrer" gotten in the headers... if it says another site, (or perhaps nothing at all, unsafe) it means it is hotlinked.

This is the technique most commonly used I believe.

However, you could also use sessions, that, when ever a page is viewed on your site you start a session that says files can be downloaded... and when they access resources the session is checked for that. As such they cannot download hotlinked files before accessing your site.

So no, protection against hotlinking doesn't require DRM or other fancy stuff, apply restrictions where they are needed, and DRM is NOT needed, and doesn't really protect against hotlinking, both solutions above should work perfectly fine. The latter being even more secure and controllable.

EDIT... or do you really mean hiding the files from the public so that files can only be downloaded without "your" permission?
User avatar
aerodromoi
Forum Contributor
Posts: 230
Joined: Sun May 07, 2006 5:21 am

Post by aerodromoi »

Syranide wrote:Common protection against hotlinking is simply checking the "referrer" gotten in the headers... if it says another site, (or perhaps nothing at all, unsafe) it means it is hotlinked.
There is often a quite simple explanation for a nonexistent referrer: Privacy tools.
I don't have any figures at my fingertips right now, but I wouldn't just say "tough luck" to those who've got this kind of software installed.
Syranide wrote:EDIT... or do you really mean hiding the files from the public so that files can only be downloaded without "your" permission?
It's just a guess - but it makes sense in case we're talking about a flash player integrated into his website (streaming mp3s).

aerodromoi
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

Now, I don't want to sound stupid but..

You could store some things as binary data in a database and then use scripts to build and output the files, couldn't you?

Then you just make them authinticate in order to view the script..
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

Daedalus- wrote:Now, I don't want to sound stupid but..

You could store some things as binary data in a database and then use scripts to build and output the files, couldn't you?

Then you just make them authinticate in order to view the script..
Your not stupid, many people to do this for images although it is definantly as poor choice to do so. Databases are not neccesarily meant for storing files, thats what a filesystem is for. Using a database is infact much slower and creates a lot of unneccsary overhead, especially for movies and mp3 and such.
User avatar
quocbao
Forum Commoner
Posts: 59
Joined: Sat Feb 04, 2006 2:03 am
Location: HCM,Vietnam
Contact:

Post by quocbao »

I think the best way to protect your media content is not providing the direct link to users :)
User avatar
aerodromoi
Forum Contributor
Posts: 230
Joined: Sun May 07, 2006 5:21 am

Post by aerodromoi »

quocbao wrote:I think the best way to protect your media content is not providing the direct link to users :)
Security through obscurity doesn't always work...
User avatar
daedalus__
DevNet Resident
Posts: 1925
Joined: Thu Feb 09, 2006 4:52 pm

Post by daedalus__ »

Can't he just write a script that builds a relative link and then forces a download?

I thought that's what alot of sites that don't want files linked directly do.

You should e-mail the girl who runs Home of the Underdogs, I think that they have a great way of doing it.

http://www.the-underdogs.info/

I always wondered what she looks like. ^^
User avatar
quocbao
Forum Commoner
Posts: 59
Joined: Sat Feb 04, 2006 2:03 am
Location: HCM,Vietnam
Contact:

Post by quocbao »

aerodromoi wrote:Security through obscurity doesn't always work...
Can you tell me why :)
User avatar
aerodromoi
Forum Contributor
Posts: 230
Joined: Sun May 07, 2006 5:21 am

Post by aerodromoi »

quocbao wrote:
aerodromoi wrote:Security through obscurity doesn't always work...
Can you tell me why :)
Just imagine that you're serving your files via a php - script.
Unfortunately, you're script does not change the filename and you have not put a htaccess file in the download directory.
One day, joe blog enters the url www. yourunknowndomain. com/download/filename and (open end)

Greetings,
aerodromoi
Roja
Tutorials Group
Posts: 2692
Joined: Sun Jan 04, 2004 10:30 pm

Post by Roja »

quocbao wrote:
aerodromoi wrote:Security through obscurity doesn't always work...
Can you tell me why :)
This is called "A tale of two banks".

Bank 1 hides its customers money in the middle of a desert. It doesn't put it in a safe, it doesn't have guards, it doesn't even bother to keep track of how much money it has. No one is even standing by the money to make sure it is still there. No one can get the money because its "hidden" in an "obscure" location.

Bank 2 puts its customers money right in plain view. You walk in their front door (past an armed security guard), under the 24 hour security cameras, and stare into the 12-inch thick metal vault to see millions of dollars - all in safe deposit boxes, locked containers, and holding cells with laser detectors.

A thief finds out the location of both.

Which would you want your money in?

When obscurity fails, true security becomes incredibly valuable.
HubGoblin
Forum Newbie
Posts: 7
Joined: Fri Apr 14, 2006 9:27 am

Post by HubGoblin »

Why don't you keep the media directly into the MySQL server as a BLOB data. This will encapsulate the data and prevent downloading without script support.
bonkerz
Forum Newbie
Posts: 1
Joined: Tue Jun 27, 2006 4:14 am

Post by bonkerz »

im also having the same problem on my site - i had over 40gb of bandwidth stolen last month (damn mp3s!) and probably increasing amounts every month before that.

Ive tried .htaccess which has caused lots of problems with legitimate users not being able to get the files, and ive yet to find something secure enough that blocks "outside" users from the getting to the files...

The search continues....
User avatar
aerodromoi
Forum Contributor
Posts: 230
Joined: Sun May 07, 2006 5:21 am

Post by aerodromoi »

bonkerz wrote:im also having the same problem on my site - i had over 40gb of bandwidth stolen last month (damn mp3s!) and probably increasing amounts every month before that.

Ive tried .htaccess which has caused lots of problems with legitimate users not being able to get the files, and ive yet to find something secure enough that blocks "outside" users from the getting to the files...

The search continues....
I'd put the files in a htaccess protected directory. All users who'd like to download a file have to use a php script which functions as an intermediary (and allows for login routines), using the header and readfile functions.

aerodromoi
Post Reply