Rather than redirect, you could have the file “read” or “get contents” of the song if certain criteria were met (eg. valid session).
As for downloading, you can stop hot-linking and direct linking, but for someone to listen to it on their computer it has to be downloaded. And if they know how, they can save it.
I’ve been thinking a lot on how to do this and I think verification through sessions is the best way, but i’ve never used them before and the manual is aweful.
So far, I start a session on songs.php which has 5 songs (5 instances of flash mp3 players) and create a $_SESSION[‘key’] = “keywordonlyiknow”
I want the play.php?file=encryptedfilename file to see if the session is created and then play the file, otherwise, it shouldn’t do anything.
That way, if someone just enters play.php?file=encryptedfilename, it shouldn’t get the file since the session wasn’t created on songs.php
Sorry, I meant to get back sooner, but got distracted.
What I meant by downloading songs, was not by requesting them directly, but by going about it the “right” way. Once it’s on someone’s computer for them to listen to, they can save it if they know how (i.e. in the browser’s cache).
If you put the song files outside of the site’s root folder, they can’t be had by HTTP requests. They can only be accessed by a file under the root that “gets” the files. If you have the page that links to that file set a session variable and check to make sure it’s set and valid then AFAIK the only way someone can download a song file is through your page that sets the session variable.