Protecting .Gif and .WMV files

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
Dougwa
Forum Newbie
Posts: 4
Joined: Tue Jun 20, 2006 7:26 pm

Protecting .Gif and .WMV files

Post by Dougwa »

feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]


Hi there,

In order to protect .wmvs, and .gifs from being viewed except by being logged in I've written a few php scripts. 

i.e /tester/test.wmv will show the correct video when logged in, and a "You are not logged in" video otherwise

To do this i've configured IIS to pass all .gif and .wmv through php-cgi.exe.

I have a dummy file test.wmv which contains session verification,
and outputs the real file, something like this

Code: Select all

<?php

session_start();

    header("Cache-control: private");
    header("Content-type: video/x-ms-wmv");

    if(isset($_SESSION['name'])){ 
        $file = 'content\test.wmv';
        $fh = fopen($file, 'r');
        $data = fread($fh, filesize($file));
        echo $data;
        fclose($file);
    } else {
        $file = 'content\error.wmv';
        $fh = fopen($file, 'r');
        $data = fread($fh, filesize($file));
        echo $data;
        fclose($file);
    }
?>
Which will then restrict the video to logged in messages.

My problem is this, when I load the page in internet explorer, It works correctly and displays the logged in images / videos whilst logged in, and the error pictures otherwise.

However in Firefox it does not work for the video. I did a tcptrace and discovered that it is not passing the PHPSESSID cookie when it calls the server for the video (the second time)

Source code to my problem
http://dougwa.freepgs.com/test.zip

you will need to configure your server to use php for .gif and .wmvs to get it to work

Thanks ahead of time


feyd | Please use

Code: Select all

,

Code: Select all

and [syntax="..."] tags where appropriate when posting code. Your post has been edited to reflect how we'd like it posted. Please read:  [url=http://forums.devnetwork.net/viewtopic.php?t=21171]Posting Code in the Forums[/url] to learn how to do it too.[/color]
Robert Plank
Forum Contributor
Posts: 110
Joined: Sun Dec 26, 2004 9:04 pm
Contact:

Post by Robert Plank »

Did you try, in the link to the video, force passing the session ID as a query string instead of as a cookie...
Dougwa
Forum Newbie
Posts: 4
Joined: Tue Jun 20, 2006 7:26 pm

Post by Dougwa »

Yes, i've tried doing that. The problem is firefox makes 3 calls to the server

1) FIREFOX
REQUEST web page

SERVER
Web page + gif data + setcookie PHPSESSID

2) FIREFOX
REQUEST AVI + cookie PHPSESSID = %garbledeegook%

SERVER
Avi data

3) FIREFOX
REQUEST AVI from what looks like a plugin

SERVER
Avi data + setcookie PHPSESSID

PS thanks for the reply, the mozilla forums didnt have much advice for me :p !
User avatar
John Cartwright
Site Admin
Posts: 11470
Joined: Tue Dec 23, 2003 2:10 am
Location: Toronto
Contact:

Post by John Cartwright »

You could simply store the files outside the web directory, and serve them through a php script.. ie.media.php?fileid=somevideo.avi since php will have access to the folder while your users never will. This way you can easily control the user permission settings, instead of relying on server settings and such.
Dougwa
Forum Newbie
Posts: 4
Joined: Tue Jun 20, 2006 7:26 pm

Post by Dougwa »

Hi and thanks for your help.

I've changed it to use a php script as mentioned above
the html code is

Code: Select all

<HTML>
    <HEAD>
    </HEAD>
    <BODY>
    <A HREF="login.php">Login</A><P>
    <A HREF="logout.php">Logout</A><P>
    <img src="gif.php?filename=alpha-w.gif"> 
    <embed src="wmv.php?filename=test.wmv">
    </object>
    </BODY>
</HTML>
However once again it works in ie but not in firefox? any ideas
User avatar
Maugrim_The_Reaper
DevNet Master
Posts: 2704
Joined: Tue Nov 02, 2004 5:43 am
Location: Ireland

Post by Maugrim_The_Reaper »

Opening <object> tag???
Dougwa
Forum Newbie
Posts: 4
Joined: Tue Jun 20, 2006 7:26 pm

Post by Dougwa »

lol yeah, sorry about that

I got it working by passing the session id to the filename

Code: Select all

<?php
    session_start();
?>
<HTML>
    <HEAD>
    </HEAD>
    <BODY>
    <A HREF="login.php">Login</A><P>
    <A HREF="logout.php">Logout</A><P>
     Here is an image!<P>
    <img src="gif.php?filename=alpha-w.gif"><P>
    <embed src="wmv.php?filename=test.wmv&session=<?php echo session_id()?>"/>
    </BODY>
</HTML>
And then setting the session id inside of the movie file

Code: Select all

<?php

session_id($_GET['session']);
session_start();

    header("Cache-control: private");
    header("Content-type: video/x-ms-wmv");

    if(isset($_SESSION['name'])){ 
        $file = "content\\" .  $_GET['filename'];
        $fh = fopen($file, 'r');
        $data = fread($fh, filesize($file));
        echo $data;
        fclose($file);
    } else {
        $file = 'content\error.wmv';
        $fh = fopen($file, 'r');
        $data = fread($fh, filesize($file));
        echo $data;
        fclose($file);
    }
?>
Post Reply