Flash Movie Security Using PHP

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
jphilip
Forum Newbie
Posts: 2
Joined: Mon Aug 09, 2010 3:56 pm

Flash Movie Security Using PHP

Post by jphilip »

Hi,
This is my first and post and topic on DevNetwork .I am creating a heavy media content website where users can view movies but cannot upload any. Only the admin is allowed to do that. The users has to pay to view the full movie otherwise the movie trailer are shown . I am using flowplayer(flv player) to stream the movie.
Usually people use a media server such as Wowza or lighthttpd for such websites but I am not in the position to use them . I have to use only the apache server thats it. Now the issue I had was the flowplayer I had was the url in the link. Basically anyone can use a firebug or view the source file to see the actual directory path and download the full movie. I could solve this issue with rewrite rule no problem.
BUT the main issue is to allow only paid members to view the full movies and the guest could only watch the trailers. At first I used the Xmoovstream server to solve this and it did. I wrote a php code to to check whether the user is logged in . If logged in stream the full movie using a php script else stream the trailer using a php script.
But since my website will have atleast 5 thousands traffic per day and everyone will access the same php script for the movie it is impossible to use xmoov stream since it is very very slow. Infact it doesnt work if even for a couple of users. I have a deadline and i dont have the time to investigate xmoov. SO i had to scrap xmoov stream.

SO I came up with this other very very simple solution and I want to know whether this is a good idea and will it work fine .
Basically the flv movie link will be something like this

get_movie.php?movie=kill_bill_vol1

the get_movie.php will then check the user

if(user logged in)
{
//show full movie
header( 'Location: http://www.yoursite.com/videos/action/kill_bill_vol1' ) ;

}else{
// show trailer
header( 'Location: http://www.yoursite.com/videos/action/t ... _bill_vol1' ) ;
}

INSTEAD of the using php script to stream the movie. I just wrote a redirect and it works fine. The users cannot view the actual directory link.But its hard to believe that such a big security issue could be solved with just a couple of lines of code. Am i missing something here ?? will this work ?? .Expert opinion please !!!

Justin
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: Flash Movie Security Using PHP

Post by Mordred »

This is not a working protection, they can see the redirect URL just as well and hit it directly. If you have to work with PHP authentication/authorization, streaming the videos through PHP seems to be the only way.
I haven't got much experience with streaming video, so maybe others can advise you better, but as for the authorization code, it does (almost) nothing.
jphilip
Forum Newbie
Posts: 2
Joined: Mon Aug 09, 2010 3:56 pm

Re: Flash Movie Security Using PHP

Post by jphilip »

@mordred
Thanks for the reply ... even i dont have experience in streaming ...this is my first attempt creating a streaming content site...
If u meant that the url will change after redirect ..then no...it does not change...
actually I am using "get_movie.php?movie=kill_bill_vol1" in an <a href> link ....not directly in the url ...

something like this

<html xmlns="http://www.w3.org/1999/xhtml">
<head></head>
<body>
<a href="get_movie.php?movie=kill_bill_vol1" id="player"> </a>
<script>
flowplayer("player", "flash/flowplayer-3.2.2.swf");
</script>
</body>
</html>

after the redirect it streams without any problems..and without the url changing in the <a href> link....so i guess its secure ...
Post Reply