Geek Answers Handbook

How to password protect streaming video using php

What is the best way to password protect QuickTime streaming video using php / .htaccess. They are broadcast using rtsp, but if necessary I can use other formats.

I know how to authenticate using php, but I'm not sure how to configure authentication to protect the URLs of the streaming files so that the user cannot just copy the URL and share it.

Or am I thinking too much about it, and can I just use the usual authentication scheme and put the files in a secure directory?

+6
authentication php login streaming quicktime
source share
5 answers

The nginx and lighttpd web servers have X-Send-File headers that you can return from PHP. This way you can do your checks in PHP and then conditionally debug the file.

if (check_user_can_access()){ header('X-sendfile: /path/to/file'); } else { header('HTTP/1.1 403 Fail!'); }

Lighttpd also has a neat module called mod_secure_download , which allows you to programmatically generate a URL that will only be valid for a short time period.

Nginx, and possibly lighttpd, allows you to limit the download speed, so you do not send streaming data faster than you can use it.

In any case, you want to use your web server to serve files. Serving them through PHP is possible, but slow.

+3
source share

Try using the Amazon S3 service, it got this quirks, but it makes sense when you are familiar with it.

Their API has bindings for reaching a temporary URL that are active at the specified time, so you can freely display the URL to the visitor because it will not work after 10 minutes or later.

This is almost a trivial attitude to php (about 15 lines of code), there are many examples on their forums, so you do not need to go from scratch and read the full documentation on how to achieve this.

What permission will you make before creating and showing links to it.

You can also look like it was from your domain, such as video.yourdomain.com, instead of the standard s3 URLs.

The last thing is cheap - we paid about $ 2 for a month of testing and deployment, when I downloaded 8 GB and downloaded it 3 times completely and initialized the download about 100 times. The person for whom I did this is so pleased with the price that he wants to move all of his downloadable media to s3.

Now, after reading everything that I wrote, it looks like commercial / spam, but I am so happy with the service, because earlier I encoded everything for audio files, and it took several days until everything worked fine, and it took a couple of hours to implement (in mostly get acquainted with the service).

+1
source share

You can take a look at: mod_xsendfile (for apache)

This allows you to internally redirect the file.

So, you can specify the download link on checkCredentials.php

 <?php if ( isAuthorised($_POST['user'], $_POST['pass']) ) { header("X-Sendfile: $somefile"); header("Content-Type: application/octet-stream"); header("Content-Disposition: attachment; file=\"$somefile\""); exit(0); } else { show403('bad credentials'); } ?>

This module is also available for other web servers. If I remember correctly, the idea originally comes from lighttpd, but, like Josh’s state, is also available for nginx.

+1
source share

In a Jacco solution, can you check the headers and find the file url and download it without authentication?

A possible solution that I can think of would be to put somplace files inaccessible to everyone except the browser, i.e. using .htaccess disable everything. Will this work?

+1
source share

Firstly, it is very easy to deceive the referent. This information is stored in a user’s browser, so the user can simply connect to your server and provide his own referent corresponding to your domain.

A few things you could try:

Firstly, more secure, but still fake. mod_rewrite provides the ability to check cookies. What you can do is set a cookie when a user visits your site containing some obscure data. Then you can change your RerwriteCond something like this:

 RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_COOKIE} obscurename=obscurevalue [NC] RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC] RewriteRule \.(asx¦ASX)$ http://www.yourdomain.com/images/leech.gif [R,L]

Another, better technique involves working with PHP and mime types. I'm not sure how much this will support streaming content, but I assume it will work. What you can do is that all your video links point to a .php file (the query string determines which video was selected). Then, when the user tries to visit this link, you do something like this:

 <?php // You could also check some sort of session variable // that is set when the user visits another part of your // site if(!isLoggedIn()){ header("Location: errorPage.htm"); exit; }else{ // Get the name of the file specified $file = get_file_name($_GET['fileID']); // Specify the proper mime-type for the data you're sending // (this may have to change, depending on your situation) header("Content-type: video/vnd.rn-realvideo"); // Read the file and output it to the browser readfile($file); } ?>

From what I read, most servers know which types of mime streams transmit mime types, so the browser should be able to figure out how to properly handle the stream file.

0
source share

More articles:


All Articles