0

I am creating a website in which I need to show some resources like PDFs,videos online. The condition is that they should not be downloadable to user.

For the PDF part, I have created SWFs of them using PDF2SWF and showing them to user. However, I am confused about videos.

I saw the this link and this link for some solutions. However one suggests to use <canvas> to mask the <video>. That looked good but when it came to creating JS controls to create custom buttons and sliders, that sounded too much complicated.

Another solution in first link about the temporary tokens was good and I am looking forward to use it. But I am a bit confused about it. My environment is PHP, MySQL. The point I am not clear about is, when the Server will validate the URL with the method given here, in my case it is supposed to send a link to actual video file in order to play the video in browser, isn't it? So it kind of defeats the purpose of tokens in the end.

How can I exactly implement this? Any help will be very much appreciated, thank you :)

Community
  • 1
  • 1
tigerden
  • 728
  • 2
  • 11
  • 28
  • 1
    And what if I used a screen recorder? And what if I download the SWF directly and decompile it? – vonUbisch Mar 09 '14 at 21:27
  • 1
    @vonUbisch That's falls into "not easy" category IMO – Wesley Murch Mar 09 '14 at 21:28
  • 2
    that's why I said `easily`.. Because even videos on YouTube can be downloaded, so I am not looking forward to some state-of-the-art security but at the same time not want to be that naive to reveal the URL of file directly into page source – tigerden Mar 09 '14 at 21:29

1 Answers1

1

Just generate a hash when the video is requested:

//just an example, hash however you want
$hash = md5(filesize($video), true));

Then save this hash in the session

session_start();
$_SESSION['video_hash'] = $hash;

Then redirect

Header('Location: http://domain.tld/path/to/video.ext?vh='.$hash);

Now on the page where the video acutally loads:

session_start();
if($_GET['vh'] === $_SESSION['video_hash'])):
    //play the video
    //video code here
    //expire the hash
    $_SESSION['video_hash'] = null;
else:
    //forbidden error
    header('HTTP/1.0 403 Forbidden');
endif;

This is not and end-all to be-all method and should be taken with a grain of salt.

Ohgodwhy
  • 49,779
  • 11
  • 80
  • 110
  • You just forgot a minor apostrophe for `$_SESSION['video_hash] = $hash;`. – Anonymous Mar 09 '14 at 21:32
  • but in `//video code here` will have something like ` – tigerden Mar 09 '14 at 21:33
  • The `.ext` would actually be a PHP script, check out [`mod_rewrite`](http://httpd.apache.org/docs/current/mod/mod_rewrite.html) for details on how to do it. The `.ext` is also there to give the browser a hint to treat whatever is there as a `.ext` file. – AmazingDreams Mar 09 '14 at 21:34
  • okay, but when finally when the video actually streams on the browser, the `video` tag will have the source of actual video file present on server if I am not wrong. And that `video` tag will be present in page source. Can the user see the page source and get the direct link of video file present on the server and download it? – tigerden Mar 09 '14 at 21:37
  • Inject the `video` element to the DOM with some obfuscated Javascript, just an idea. Depends on your definition of 'easily'. – vonUbisch Mar 10 '14 at 19:02
  • 1
    @tigerden, you are right in that IF I CAN SEE THE VIDEO I CAN STEAL IT. There is no 100% guarantee that your video cannot be stolen unless you use temperary URL or DRM – Xianlin Sep 25 '14 at 08:15
  • @Xianlin Neither of those methods matter, either. Screen Capture cannot be stopped. – Ohgodwhy Sep 25 '14 at 09:23