Protecting embedded media

Posted: September 3rd, 2009 | Author: Nathan

I recently picked up a little side job wherein the client wanted to protect embedded Quicktime files in the members-only section of their web site (it was a tutoring site).  Obviously, anybody who’s really determined to get their hands on such embedded media would find a way using a screen recorder or other “advanced” means.  The idea here was to prevent the average user from being able to download the file using the embed URL or any Firefox plugins.

I was surprised at the few and relatively unhelpful posts I found on the subject, so I thought I’d throw mine into the mix.  I’m not saying it’s hackproof or totally secure, but if anybody sees a way around it I’d be interested to know how.

The basic premise is this:  at the top of each page containing embedded media you generate a token which is a hash of the file name and a random number, which are both stored as PHP session variables.  In your EMBED tag, rather than referencing a media file in the publicly-accessible section of your website, we’ve got the media stored “above root” and use a PHP script (media.php, in this example) to check the token, serve up the file if all looks well, and then destroy the token.

First, I placed the media above the web root on the server.  If www.mysite.com translates to /home/user123/domains/mysite/html on your server, you want to place the media in a folder such as /home/user123/domains/mysite/media. Then we create a PHP file called media.php in the web root to serve these files up.

// media.php
// start the PHP session
session_start();
// check the hash (this will make sense in a minute)
if (crypt($_GET['filename'],$_SESSION['number']) == $_SESSION['hash']) {
// if the hash is good, destroy the token and all related data
$_SESSION['hash'] = "";
$_SESSION['number'] = "";
// open the file in a binary mode
$name = '/home/user123/domains/mysite/media/' . $_GET["filename"];
$fp = fopen($name, 'rb');
// send the right headers. you'll have to change these if you're using something other than quicktime
header("Content-Type: video/quicktime");
header("Content-Length: " . filesize($name));
// dump the media and stop the script
fpassthru($fp);
exit;
} else {
// if something goes wrong, redirect
  header("Location: index.php");
}

At the top of the page you want the media on, include the following code:

// the name of the file in the /home/user123/domains/mysite/media directory
$movie = "sample.mov";
// start the php session and generate a random number
session_start();
$number = rand(0,100000);
// create a hash from the two
$hash = crypt($movie,$number);
// store the hash and the number as session variables
$_SESSION['hash'] = $hash;
$_SESSION['number'] = $number;

Then, in your HTML, where you would normally have src=”mymovie.mov” you now use src=”media.php?filename=mymovie.mov”.

Since the random number & hash are stored as a PHP session variable the user oughtn’t be able to see them and the hash should stay secret. The token is essentially “cashed in” when the media.php file is called and the media is returned to the browser.

|

---