/    Sign up×
Community /Pin to ProfileBookmark

How to block a video from being accessed via url?

When I play a video (that is blocked from being downloaded as a file from a php web script player that I’m using) I can see the url address of the file from my PC in dev tools > networking > media, Is there a way to block or scramble the video’s url from being available to be copied? If not, is there a way to have that url be available only if the potential viewer is ‘logged-in’ to the web site? Or some type of authentication based on checking for a user’s PHP temp session file before allowing access from the video’s url?

to post a comment
PHP

6 Comments(s)

Copy linkTweet thisAlerts:
@NogDogOct 01.2019 — You can put the file outside of the web-root directory tree, then create a PHP "file-server" script that will confirm the user is logged in, and if so, use readfile() to serve it up, after setting applicable header() values. Then the URL would be to the PHP script, not the video (or other) file itself. You could include a GET param to specify the file ID or such, if you need it to support multiple different files.
Copy linkTweet thisAlerts:
@chrisjchrisjauthorOct 01.2019 — Thanks for your reply.

Can this be done with the folder, that the videos are in?
Copy linkTweet thisAlerts:
@NogDogOct 01.2019 — > @chrisjchrisj#1609343 Can this be done with the folder, that the videos are in?

Sorry, I don't understand this question.

In case this helps, you'll want that folder to not be accessible to HTTP requests, which can be accomplished either by moving it outside of the web root directory tree, or using something like a .htaccess file setting in that directory to prevent such access. The PHP file server script would then be wherever you want it in your application. So your video URL might be something like example.com/path/to/video.php?file=foo.mp4, and video.php might be something like this at it's most basic:
<i>
</i>&lt;?php

// possible way to check that they are logged in:
session_start();
if(empty($_SESSION['user_id'])) {
header("HTTP/1.0 404 Not Found"); // or redirect to login page?
exit;
}
$file = basename($_GET['file']); // prevent directory injection
$dir = '/local/path/to/videos';
if(!file_exists("$dir/$file")) {
header("HTTP/1.0 404 Not Found");
exit;
}
header('Content-Type: video/mp4');
// possibly other relevant headers here?
readfile("$dir/$file");
exit;
Copy linkTweet thisAlerts:
@chrisjchrisjauthorOct 01.2019 — Thanks for your reply.

I've attempted to test the example you provided, however, I don't know a few things.

I've added this to the top of the page of the file videos.php.

In the script I'm using the videos are stored in a folder named upload/.

The link to a test video is, for example:

http://......com/upload/videos/2019/09/n_7dc4740609a7d608ulu70e2428cdc9c_video_360p_converted.mp4

so, because each month the videos get stored in a new 2019 folder, I don't know how to add the path to $dir =

so that it will forever work.

Also, I'm not sure if I need to change: $dir/$file to anything else.

Any additional guidance is appreciated.



// possible way to check that they are logged in:<br/>
session_start();<br/>
if(empty($_SESSION['user_id'])) {<br/>
header("HTTP/1.0 404 Not Found"); // or redirect to login page?<br/>
exit;<br/>
}<br/>
$file = basename($_GET['file']); // prevent directory injection<br/>
$dir = '../upload/videos/';<br/>
if(!file_exists("$dir/$file")) {<br/>
header("HTTP/1.0 404 Not Found");<br/>
exit;<br/>
}<br/>
header('Content-Type: video/mp4');<br/>
// possibly other relevant headers here?<br/>
readfile("$dir/$file");<br/>
exit;
Copy linkTweet thisAlerts:
@NogDogOct 02.2019 — If the code that currently creates the link knows what year/month to use, you could pass those as additional GET params, perhaps? example.com/yourscript.php?year=2019&amp;month=09&amp;video=n_7dc4740609a7d608ulu70e2428cdc9c_video_360p_converted. Then just grab them, with some validation/filtering to prevent directory injection, maybe:
<i>
</i>$year = (int) $_GET['year'];
$month = str_pad((int) $_GET['month'], 2, '0', STR_PAD_LEFT);
$dir = "../upload/videos/$year/$month"; // leave out trailing "/" since we add it later
Copy linkTweet thisAlerts:
@chrisjchrisjauthorOct 04.2019 — Thanks for your reply.

I have since been looking at a hash Md5 solution where the hashed md5 solution would replace the url/path with a fake url/path that would disappear when the user session is over, and the next time that video is played a new fake url/path will be displayed. If I have that correct, I believe that would help if a logged in User shared the url/path/link, or someone attempted to hot link the url/path, it would be fail once the User looged-out.

I'm attempting to test this. I've added this .htaccess code:

``<i>
</i>RewriteEngine OnRewriteCond %{REQUEST_URI} .(mp4)$ [NC]
RewriteRule ^ validate.php?request_url=%{REQUEST_URI} [L]
To Disable Or Prevent The Directory Access/Listing
Options -Indexes<i>
</i>
`</CODE>
and added this validate.php file:

<CODE>
`<i>
</i>&lt;?php $v = $_GET['video'] ?? null;
if(file_exists($v)) { unlink($v); header('Content-type: application/mp4'); header('Content-Disposition: inline; filename=video.mp4');
readfile("./mytestvideoo.mp4");
} else http_response_code(404);<i>
</i>
`</CODE>
And I understand that I can store the hash in a txt file that's not publicly accessible. But, I'm not clear on that or this additional code:

<CODE>
`<i>
</i>
//Generate the link $normalText = "this is just average string with words";
$hashedText = md5($normalText);
fopen($hashedTest, 'w');
echo "<a href='validate.php?video={$hashedText}'>Link to the video</a><i>
</i>
``


Any additional guidance/comments so, I can test all this is appreciated.
×

Success!

Help @chrisjchrisj spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 3.29,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @darkwebsites540,
tipped: article
amount: 10 SATS,

tipper: @Samric24,
tipped: article
amount: 1000 SATS,

tipper: Anonymous,
tipped: article
amount: 10 SATS,
)...