How to protect hot linking of video downloads?
 

I am thinking about offering video downloads - but how can you protect people linking to the files directly to download them? (Eg someone posting a link to the mpeg's url on a different site).

Can you use the hotlinking tool that's built into cpanel? Or would it require something more custom?

What would be even better is to have the videos on another domain, and some kind of protection system that checks to see the request for the video came from a specific domina.

Eg, have the main site in root: mysite.com and have the videos in vids.mysite.com and only accept the request for the video if the request was reffered from a link on the main site (mysite.com).

Sounds complicated doesn't it! *!*

Just make a call using the Flash player to a PHP script which tells it which domain it's on along with some other details that pertain to your server. It's not 100% secure but it's sufficient! Considering there are a million and one details you could use to check it's your server. Make the call relative to the current domain though, and also die gracefully if the response is a 404.

Furthermore, consider creating a little promotional video that you could play instead of the actual video if the video resides on a site other than yours. If they're silly enough not to check the video after they've embedded, you've got yourself some free advertising!

You don't even need to place the videos on a sub-domain for this little trick to work if you don't want to.

Thanks WH - although I was thinking more along the lines of actual downloads of mpegs, i.e. 'right click and save as'

Any ideas on that?

Cheers,

Hmm interesting. You can't stop them from downloading the video to their hard-disks, but you could prevent them from hotlinking to the video on your website - if that's what you mean.

What about a certain coded message inside? :S Data that responds to certain Protocols? I'm just confusing myself >.< But surely you could! Though it might just make the Flash Player slow.

Have a script that makes a call to a location below the web root. Or you can .htaccess it to deny all, leaving your server the only thing that can access it. I could be wrong,. but I believe there is no way to download a file that is below the web root unless the script has it do so.

Indeed, if the file is outside of the webroot then it couldn't be accessed except by a script on the server (assuming the script had permission to get out of the webroot).

Alan.

Even most shared hosts give you access one directory below the web root (public_html on most servers)

Thanks guys that's very helpful.

This site has some kind of system where a temporary link to the video is generated: gamer syde dot com (all one word) which then expires after a short while.

I wonder how they are doing it?

Well.... lets say they do something along these lines:

1. You go and click on a download link on the site

2. when a download request is triggerd, a script generates a download link wich links to a file outside webroot. In the form that its a script that picks up the file and then triggers a download window in the browser when clicked like "download.php?id=2323". When clicked it should check that the ID is still valid for download and then proceed with download or remove the link and then display an errror.

3. When a succesfull download is done the link will only survive for a set amount of time then "die" in other words become invalid.


Wich means that you make sure the script that generates a download link checks to see that the request comes from a script on your site and not from the outside. And make a check in the script that "picks up" the download.

Hope this thoughts are usefull.

Good Luck.

/EyeDentify

Thanks ED, that seems like a logical way of doing it... now... just gotta get my head round the coding part of it lol.

I'm sure I'll post for more help when I come round to doing it :-$* !*

I'll give you a hint. ;-) The script has to do with a combination of readfile(), and header()---beyond the referrer check of course. The reason we suggest you store the downloads outside the root html directory is so that no one can directly link to those files.

To take the first example from the PHP manual, and fix it a bit:Betcha already can think of how to use stuff like this.

Thanks Robert - I think I need to do a lot more reading up *!*

Hey guys - would any of you consider doing this as a paid job? I don't trust my php skills to do it for a live site tbh!

Hi Brook. Take a look at this thread. I found a pretty nice script to do what you are looking for.

Thanks Bill, will check it out!

If that does not work, I may be interested in doing this for you. Send me a PM if you wish to speak with me about this project. I've written a script much like this before.

Hotlink could be bypassed with curl, when you set up the referer to the same website the apache will still parse it.