Page 1 of 2
How can I protect my media files from being view directly ?
Posted: Sat Mar 11, 2006 1:13 am
by KENT
Hello,
I hope you guys understand my problem here. I plan to make a music website but dont want them to download my media files and hotlinking my files on somewhere.
To protect hotlinking: I used .htaccess and it seems to be work well.
But how to protect them from being downloaded or view directly ?
// Sorry for the english ..
Hope you can help me out

Posted: Sat Mar 11, 2006 1:17 am
by feyd
Doesn't hotlinking protection cover that?

Posted: Sat Mar 11, 2006 1:27 am
by KENT

If you use a downloader to download the data . .htaccess will not work in this case. Because .htaccess check for the right referer and while downloader can catch the referer url given by browser.
My problem is how to make the data cant be downloaded and view directly

Posted: Sat Mar 11, 2006 1:39 am
by feyd
If you (want to) require being logged in, use a downloader script that can check the session data to verify they are logged in. It's not foolproof as being logged in can be "faked" to a degree.
As for downloaders, there's not many ways around that. They often send known, standard, user-agents (last I saw) so it'd be quite difficult to tell if something is a downloader or not. You can make their life more painful by limiting the number of files they can download at a time (using session data again) however knowing if they've fully downloaded the file can be another story (although possible)
You can also deny multiple log ins (with a timeout kill on older log ins) ... But overall, if they can link to it, they can download it.
Posted: Sat Mar 11, 2006 1:48 am
by KENT

It seems that i'm trying to solve one of the most difficult problem. In reality, there are few site can protect their data from being downloaded. The way you pointed at is so interesting to me.
My client required me to code a data-protected website and my head is dizzy
Posted: Sat Mar 11, 2006 7:16 am
by AGISB
The only solution is: DRM (Digital Rights Management)
Posted: Sat Mar 11, 2006 9:19 am
by KENT
Thank you for your help, AGISB
But does DRM support every media extensions ? Is it possible way if my files are ringtones ?
Posted: Sat Mar 11, 2006 9:24 am
by timvw
Imho, the most important question would be: Do my customers have hardware that can enforce DRM?
If you don't want people to immediately download files, you shouldn't place them online.
Second option is to offer them through a download script (files outside of public_html directory) where you test if they meet a couple of requirements:
- logged_in? Only offering a download to a user that can be billed for it seems like a good idea

- acceptable useragent string in the header? doesn't seem like a good idea.. as long as the customer pays, does it really matter he drives a rolls or a toyota?
- ...
Posted: Sat Mar 11, 2006 9:38 am
by KENT

DRM seems now to be a difficulty as it required things on client side.
Maybe, using the solution that using a download script to read data from outside public_html is a good idea.
Posted: Mon Mar 20, 2006 11:35 pm
by alex.barylski
feyd wrote:If you (want to) require being logged in, use a downloader script that can check the session data to verify they are logged in. It's not foolproof as being logged in can be "faked" to a degree.
As for downloaders, there's not many ways around that. They often send known, standard, user-agents (last I saw) so it'd be quite difficult to tell if something is a downloader or not. You can make their life more painful by limiting the number of files they can download at a time (using session data again) however knowing if they've fully downloaded the file can be another story (although possible)
You can also deny multiple log ins (with a timeout kill on older log ins) ... But overall, if they can link to it, they can download it.
Thats possible using PHP? I've read breifly about it, but never paid attention...
Now i'm interested...can you explain the basics??
Make a tutorial out of it

Posted: Mon Mar 20, 2006 11:48 pm
by feyd
It's somewhat painful, and is likely server dependant, but should be possible through the use of a loop and checking
connection_status() and its sibling functions. Although I have not thoroughly tested it across multiple servers and configurations. The concept works off of setting a flag if the connection gets aborted by the user. It may help to register a shutdown function. See here for more details:
http://php.net/features.connection-handling
misled
Posted: Tue Mar 21, 2006 5:07 am
by KENT
my topic is misled. Anyone has any idea to solve my problem ? I found that with ASP.NET we can something easily to forbid a user access to a file. Can PHP do this also ?
What should I do if i want to restrict/deny a user download my files ?
--
again, sorry for the english
Posted: Tue Mar 21, 2006 5:27 am
by Maugrim_The_Reaper
Don't host them within the webroot - use a PHP file to stream the file to legitimate logged in users. What could be more simple?
Posted: Mon Mar 27, 2006 9:51 pm
by judas_iscariote
you need something like PEAR HTTP_Download and store your files outside the document root, the rest can be controlled via an authentication process, and it's not too painful.

Posted: Fri Jun 02, 2006 5:42 am
by aerodromoi
judas_iscariote wrote:you need something like PEAR HTTP_Download and store your files outside the document root, the rest can be controlled via an authentication process, and it's not too painful.

Assuming this thread is still open - why don't you protect your files with a htaccess file, thus forcing
the user to load the files via a php script?
aerodromoi
for the htaccess file
Code: Select all
<FILESMATCH "\.mp3$">
order deny,allow
deny from all
</FILESMATCH>