-2

I want to use some system to create protected/unique urls for download and streaming. For example we have: 

domain/file.mp4

For a user to be able to download that file, I want to put it in a php page with a download button and a streaming player so it will be:

domain/download?=file.mp4

Inside the generated php page, the download URL is:

domain/file.mp4? AccessKeyId=AXIXI

Thus, users won't be able to share the link. I don't even know if this is possible, just asking here for some ideas.

Nathaniel Ford
  • 20,545
  • 20
  • 91
  • 102
eazy
  • 23
  • 10
  • It is possible but if any user has _'domain/download?=file.mp4&accessKeyId=AXIXI'_, they can still share the link amongst friends/the whole internets. You need to think about registration, cookies and swizzle like that. – Duncan Tidd Jan 30 '16 at 00:42
  • You could frequently change the download urls. – Progrock Jan 30 '16 at 00:42
  • You could use a form and captcha. Or a form with a time limited token. – Progrock Jan 30 '16 at 00:45

1 Answers1

0

Use a cookie to validate the download link. If the two match, then allow the download.

For example, the PHP file containing the download link could generate it as follows:

<?php

  ///// Put these two lines in a shared config file: /////
    define('SALT','*** Insert a random string here ***');
    define('RESOURCES_DIRECTORY', '/home/eazy/files/');
  ////////////////////////////////////////////////////////

  function get_download_url($filename) {
    $expire = time() + 3600; // Link expires in 1 hour
    $auth_data = "f=$filename&e=$expire";
    $cookie_key = md5($auth_data . SALT);
    setcookie('key',$cookie_key,0,'/');
    return "/download.php?$auth_data";
  }

?>

<a href="<?= get_download_url('my_video.mp4') ?>" rel="nofollow">Download video</a>

And then the /download.php file can authenticate the download as follows:

<?php

  $filename = @$_GET['f'];
  $expire = intval(@$_GET['e']);
  $auth_data = "f=$filename&e=$expire";
  $cookie_key = md5($auth_data . SALT);
  $file = RESOURCES_DIRECTORY . $filename;
  if (@$_COOKIE['key'] != $cookie_key || $expire < time() || !file_exists($file)) {
    header('HTTP/1.1 404 Not Found');
    die("File not found");
  }
  else {
    header('Content-Type: video/mp4');
    header('Content-Length: ' . filesize($file));
    readfile($file);
  }

If you can avoid generating open_basedir restriction errors, store the downloadable files outside your WWW directory. That way, users will have no choice but to use this script to access the files, and will only be successful if they have obtained a valid cookie by visiting the page containing the download link.

Note: this code will defeat casual link-sharing, but isn't super-secure and won't stop people sharing the downloaded files. There's no point being too paranoid, because people will still be able to share the downloaded files even if they can't easily share the download links.

Community
  • 1
  • 1
r3mainer
  • 23,981
  • 3
  • 51
  • 88
  • Hmm, so for super secure system (for example digital downloads) I can't do a script by myself but I need to buy something meant for that reason. Woah I thought that this could be easier, because with htaccess you can restrict download per ip or put a password or some other stuff, but always manually, so I thought that can be a method to do this automatically with php, but seems no. I'll leave this post here just for other ideas, maybe something useful for someone will appear. – eazy Jan 30 '16 at 09:59