3

I have a music sharing site and realize that the files on my site are not necessarily protected as they are stored in a subfolder in public_html. I need to protect them in a way that they still work for anyone in the music player, which located on a listen.php page. However, if the user goes directly to a file, such as this http://www.pearlsquirrel.com/mp3/95d246c26a7c003cdac86ead05659b37.m4a. I do not want them to be able to download the file so as to protect my users. However, I can not add any code to that page because it is an mp3. Is there a way to add an index to the folder that would allow for me to add javascript to that page? I tried using .htaccess but had no luck with it. If anyone knows how I could possibly solve this problem, it would be greatly appreciated. Thanks!

Eggo
  • 541
  • 7
  • 18
  • 4
    If you don't want people to access the files that you, or others, put on the internet you've got two simple options; 1: *don't put them on the internet* or, 2: *put them outside of the web-root*. – David Thomas Mar 08 '12 at 22:24
  • Consider putting the files themselves outside the Web root, and exposing them via a PHP script or similar, so that you can require the user to log in before accessing the file. – cmbuckley Mar 08 '12 at 22:30
  • +1 For putting the files outside the web root. Then use `../../file.m4a` to let PHP access the files. – Hope4You Mar 08 '12 at 22:30
  • 1
    Generally if your web-based music player can access it, then your users can grab the file directly. You could however require a special query string that your (Flash-based) music player uses - though this can also be done by savvy users who know how to find out what the query string is. Lastly you could encode/encrypt your music, and decode it in the player - but again this can be subverted. – halfer Mar 08 '12 at 22:30
  • Good point from @cbuckley - are you willing to require users to be logged in to listen to your music? – halfer Mar 08 '12 at 22:35
  • They do not have to be logged in to listen to the music. I am working on trying to put the files outside of the web-root. – Eggo Mar 08 '12 at 22:43

3 Answers3

1

Stu Thompson explains a few ways well in this post - Protect flash video from download/right protect also, this link may be of particular usefulness for you - Is it possible to protect from downloading a video from a site

Community
  • 1
  • 1
Ryan Kempt
  • 4,200
  • 6
  • 30
  • 41
1

try with .htaccess to:

  • forbid directory listing
  • check the urlreferrer / remote IP address

But if, depending on the way you play the file to the user, if there is a direct access to the file, it will be hard to secure.

Francois
  • 10,730
  • 7
  • 47
  • 80
0

You could rewrite your music file's URLs to a PHP script, check some login via session and output the music file only if the user is logged in.

You could also put a copy of a mp3, that a user is listening to with a session id in the name and remove it after the session get's invalid. This way every user has it's own URL that will not be active permanently.

Basti
  • 3,998
  • 1
  • 18
  • 21