restricting file access thorugh web browser...

[polkwaves]

Hi,
I have an old time radio site in which members can download mp3 shows after they have logged in. Obviously they will find out the url to the files when they are listening to them or while they are downloading the files. Now, when they logout, they can still access those mp3 files from any computer by simply typing the url to the mp3 files. My concern is the following:when members have discontinued their subscription and are no longer members, they would still have access to the mp3 files by simply typing the url in the browser.
How do I prevent this from happening?

I was suggested to use a download script but it is not a viable solution since it only checks for membership status at the time a member has logged in and has requested a particular file. I don't think it would do anything if the person enters the direct url to the mp3 file into the browser.


I was also suggested to put the mp3 files outside the public http folder and access them when needed. However, this invites a whole host of other problems such as abusing server resources etc.

To add to the problem, I will play the mp3 files through a flash mp3 player. I will feed single urls to it or a playlist.

A viable solution would be to have the mp3 files password protected, but I have no clue how to go about doing this especially while using an embedded flash mp3 player.

I am at a lose as to how I should efficiently approach this problem. Any help would be much appreciated.

Thanks

[Mandes]

You need to have a membership system, when the user logs into your site using a valid username / passsword you set a Session_variable, then at the top of each of your MP3 URL's you check to see if that Session_varaiable is set, if not you redirect the user back to the login screen, if the session_variable is set then you allow your MP3 page to load as normal.

[polkwaves]

Yes but what if they type in the url to the mp3 file into the browser directly?
They can download the file without logging in..

[I87]

Yes but what if they type in the url to the mp3 file into the browser directly?
They can download the file without logging in..

it's impossible to fix that... even myspace still has that problem and they have top payed coders working for them around the clock. there's been numerous attempts to fix it, but no one's had any luck...

just make really hard to guess file names, make sure no one can see the directory the mp3's are in, use a php script/a database for the members of the site to download the mp3 (uhh.. like... mask the link of the mp3 and check if they're logged in..)

[polkwaves]

it's impossible to fix that... even myspace still has that problem and they have top payed coders working for them around the clock. there's been numerous attempts to fix it, but no one's had any luck...

just make really hard to guess file names, make sure no one can see the directory the mp3's are in, use a php script/a database for the members of the site to download the mp3 (uhh.. like... mask the link of the mp3 and check if they're logged in..)

uhhh I don't think anything is impossible. Impossibilities only exist because we deliberately create them for various reasons.

I'm sure there must be a viable solution.

I can probably append a random number to the end of the mp3 file and have it fed to the flash player but what if 2 or 3 others are accessing the same file at the same time?

[polkwaves]

it's impossible to fix that... even myspace still has that problem and they have top payed coders working for them around the clock. there's been numerous attempts to fix it, but no one's had any luck...

just make really hard to guess file names, make sure no one can see the directory the mp3's are in, use a php script/a database for the members of the site to download the mp3 (uhh.. like... mask the link of the mp3 and check if they're logged in..)

hehehehehehe

Hotlinking-prevention seems to be a good solution but as my young friend I87 stated above, It seems impossible.

[polkwaves]

well hotlinking seems to have its downsides. Most notably, there seems to be a vulnerability which allows the leecher to spoof the http headers specified by the mod conditions in the htaccess file thereby gaining access to these files through direct URLs.

I am looking into password protecting the mp3 files, but it wants to authenticate the server as well! for instance, when I embed a media player and have it play an mp3 file, the browser pops up unsername and password dialog box. This behavior is desired for anyone other than the server accessing the files. what should be entered into the httaccess file in order to authenticate the public while always allowing the server to access the files? I read that I should use the "allow" and "deny" directives, but they don't work. What should be done?

Thanks

[Mandes]

Yes but what if they type in the url to the mp3 file into the browser directly?
They can download the file without logging in..

Your code should serve the mp3 file to the browser through your access page, if the access page doesnt get the correct password it doesnt serve the file.

[brent5392]

Hey, all. Whats wrong with using something like this? (besides the lack of headers!)

.htaccess

Code:

RewriteEngine On
RewriteBase /

RewriteRule ^downloads/(.+)$ download.php?file=$1 [NC,L]

download.php

PHP Code:

<?php
session_start();
if($_SESSION['logged_in'] == 1){
    $file = @file_get_contents('downloads/'.stripslashes($_GET['file']));
    if($file !== false){
        header('Content-Type: application/octet-stream');
        echo $file;
    }else{
        echo "<h1>Not Found</h1><p>The requested URL /downloads/{$_GET['file']} was not found on this server.</p>";
    }
}else{
    echo "<h1>Forbidden</h1><p>You don't have permission to access /downloads/{$_GET['file']} on this server.</p>";
}
?>

[polkwaves]

Hey, all. Whats wrong with using something like this? (besides the lack of headers!)

.htaccess

Code:

RewriteEngine On
RewriteBase /

RewriteRule ^downloads/(.+)$ download.php?file=$1 [NC,L]

download.php

PHP Code:

<?php
session_start();
if($_SESSION['logged_in'] == 1){
    $file = @file_get_contents('downloads/'.stripslashes($_GET['file']));
    if($file !== false){
        header('Content-Type: application/octet-stream');
        echo $file;
    }else{
        echo "<h1>Not Found</h1><p>The requested URL /downloads/{$_GET['file']} was not found on this server.</p>";
    }
}else{
    echo "<h1>Forbidden</h1><p>You don't have permission to access /downloads/{$_GET['file']} on this server.</p>";
}
?>

what the heck is all this??

[khuramyz]

Yeah try to read more about avoiding hotlinking of server files.

[wheeler]

its a script that is delivering content via a file : eg. download.php?id=4434 is related via a DB to a certain file. That way the file is only accessible if the user is logged in, as unlogged user will not get anywhere near the file.

[brent5392]

its a script that is delivering content via a file : eg. download.php?id=4434 is related via a DB to a certain file. That way the file is only accessible if the user is logged in, as unlogged user will not get anywhere near the file.

Exactly. Except with the .htaccess file, there is no longer download.php?id=4434, but rather the normal file URL.

[polkwaves]

its a script that is delivering content via a file : eg. download.php?id=4434 is related via a DB to a certain file. That way the file is only accessible if the user is logged in, as unlogged user will not get anywhere near the file.

I knew that but I was not sure about the code in the .htaccess file.
And I know that you can control file access through these scripts but how do you control access when a surfer simply types in the url to the mp3 file in the browser?

Thanks for satisfying my curiosity brent.

thank you all for your replies.
=========================

Back to my problem: I will look into hotlinking as my friend khuramyz suggested. thanks.

[polkwaves]

oh my my my. I didn't realize my young friend was 15 years old.

Keep it up my young friend.

[brent5392]

And I know that you can control file access through these scripts but how do you control access when a surfer simply types in the url to the mp3 file in the browser?

The .htaccess file covers that. Every request for a file in the downloads folder will behind the scenes be redirected to the download.php file (without the URL changing in the browser. The browser knows nothing of it). The download.php file then checks if the user is allowed to access this file. If so, it will serve the file to the browser.

It will only work on an apache server though.

Off Topic:

Am I your young friend?

[polkwaves]

Oh mamamia karamia socho kia!..... Brent.. Don't you have high school homework to finish young man!

Please read the entire thread..

I am playing the mp3 files through a flash player. If I use the download.php file method, the flash player wont work. It needs a direct link to the mp3 file.

I was forced to use something like this..

Options -Indexes

# Require images to be linked to or embedded from my site
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^http://([-a-z0-9]+\.)?mysite\.com [NC]
RewriteRule ^(.*)\.(mp3)$ /noaccess.php?$1.$2 [NC,L]

This checks to see if the referrer is my own site and if not redirects to no access page. If the server is trying to access the file then the flash player works. I know their are various inherent problems such as blank referrers and so forth but my main concern is leechers spoofing the http header and gaining access to the files. any solutions?

Thanks

[polkwaves]

problem solved...I had to use unorthodox methods but it was worth it

Thanks

[brent5392]

Oh mamamia karamia socho kia!..... Brent.. Don't you have high school homework to finish young man!

Please read the entire thread..

I am playing the mp3 files through a flash player. If I use the download.php file method, the flash player wont work. It needs a direct link to the mp3 file.

Yes, plenty, doesn't mean im going to do it

Whoops, sorry, my mistake

[pkSML]

problem solved...I had to use unorthodox methods but it was worth it

I'd be interested to hear how you did this. Was it the method you described in post 17?

Anyways, you could use a PHP script to serve the MP3 files. Then you could do any authenication work in the PHP script.

For example: Flash app accessing auth.php?file=35 for an MP3 file
Auth.php would send the binary data for whatever MP3 file file=35 points to --- if the person was logged in.

Make sense?

[polkwaves]

I'd be interested to hear how you did this. Was it the method you described in post 17?

Anyways, you could use a PHP script to serve the MP3 files. Then you could do any authenication work in the PHP script.

For example: Flash app accessing auth.php?file=35 for an MP3 file
Auth.php would send the binary data for whatever MP3 file file=35 points to --- if the person was logged in.

Make sense?

Hi,

Actually, to be honset with you, my method seemed appealing at first but it turns out that it will not work. I'm still in the dark as to how I can solve this problem. I am going to embed a windows media player into the page and see if that will work. I will update my situation as it develops.

Thanks

[polkwaves]

I finally decided to put my mp3 files outside the webroot. If the member wants to download the file I use a php scirpt to check for membership status and forcedownload via the following script:

PHP Code:

<?

$filename = "/home/me/somedir/mp3file.mp3";

header("Content-Length: " . filesize($filename));
header('Content-Type: audio/mp3');
header('Content-Disposition: attachment; filename=mp3file.mp3');

readfile($filename);

?>

That works fine. However, when I supply the src as /home/me/somedir/mp3file.mp3 to the embedded media player it does not work. any ideas as to how I can have media player play mp3 files outside of webroot?

thanks

[pkSML]

Use the PHP script you have in the previous post. Access the PHP script like play.php/mp3file.mp3
This will make the media player think the file is an MP3. Since PHP has access outside the webroot, you can have your MP3 file located anywhere you want.

I tried this on my webserver (Abyss) and it worked flawlessly with Windows Media Player.

BTW, since the PHP script is serving the media, you can use sessions or whatever security you wish.

[polkwaves]

everything works great. this is what I did:

html code

Code:

<object id="MediaPlayer1" width=200 height=400
classid="CLSID:22D6F312-B0F6-11D0-94AB-0080C74C7E95"
codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab$
standby="Loading Microsoft® Windows® Media Player components..."
type="application/x-oleobject" align="middle">
<param name="FileName" value="testlist.m3u">
<param name="AutoStart" value="1">
<param name="ShowStatusBar" value="True">
<param name="DefaultFrame" value="mainFrame">
<embed type="application/x-mplayer2"
pluginspage = "http://www.microsoft.com/Windows/MediaPlayer/"
src="testlist.m3u" align="middle"
width="200"
height="400"
defaultframe="rightFrame"
showstatusbar=true>
</embed>
</object>

testlist.m3u file:

Code:

test.php?name=test.mp3
test.php?name=violin.mp3

test.php script:

PHP Code:

<?
if($_SESSION['memberstatus']=="member"){

$servethis=$_GET['name'];
$filename = "/home/me/$servethis";

header("Content-Length: " . filesize($filename));
header('Content-Type: audio/mp3');
header('Content-Disposition: inline; filename=$servethis');

readfile($filename);

}

?>

Works great, but of course there's probably always a work around which allows leeching of files even with this method. However, this should preclude 99.9% of leechers from gaining access to the files (correct?).

This method works great with the flash mp3 player as well and the mp3 files are not cached in the browser's memory.

I could probably use some other method of serving the files (ie htaccess and so forth) but this will have to do for now. I reserved this method as a last resort because I will have to host the main site and the mp3 files on the same server (my 2nd web hoster). I originally wanted to host the main site on hoster #1 and serve the files from host #2. This was my original intention since host 2 provided unlimited space and BW hehe.
Furthermore, I am able to install software and have more features such as telnet/shell access with host 1, but now I will have to host my main site plus the mp3 files on host 2, unless I come up with an alternative method of serving files in this fashion remotely (and I think I may have it).

" technology is only as good as the capitalistic ideals upon which it is based "

[voodoomagic]

you need to restrict permissions on the directory, and keep all protected files in there, and have a script that allows the user to download the file require logged in status to be confirmed.

then in the script read the file and output it to the browser. to see what types of headers you need, use: http://www.web-sniffer.net to view the response header that is sent by the browser, and send the same ones with your script. then send the file contents, and it the browser will download the file.

this way a users browser cannot view the files, without being logged in and downloading them via the script which requires user authentication.

-voodoo