How do I secure mp4 & flv video

Question

I am developing a member only site and need to secure the video URLs that will be available on it so they cannot be shared around or passed to non-members.

I've heard of URL masking but have no idea how to do this. Or is there another way?

Basically, the videos will be held either on a remote server (vps) or via Amazon S3 and the site will call the video and stream it either in flowplayer, JW player or whatever player I can find that will allow me to secure the video.

Does anyone know how to do this? Or know of a service that will do this for me?

Answer 1

Yes you can do this. Just because it's being "played" client side doesn't mean it'll be saved client side - you'd have to use software that can record the stream as it's being played. Either screen capture software or something like it.

Anyway, to do this you need to use .htaccess to redirect file requests to a php file that will dynamically serve the location of the file and obfuscate the URL.

You will need the following in your html code

<html>
<body>
<script type="text/javascript" src="flowplayer-3.2.12.min.js">
</script>
  <script type="text/javascript">
// <![CDATA[
  window.onload = function () {
    $f("player", "flowplayer-3.2.16.swf", {
      plugins: {
        secure: {
          url: "flowplayer.securestreaming-3.2.8.swf",
          timestampUrl: "sectimestamp.php"
        }
      },
      clip: {
        baseUrl: "secure", // Im using a folder called "secure" you can call it whatever you want
        url: "trailer.flv",
        urlResolvers: "secure",
        scaling: "fit",
        onStart: function (clip) {
          document.getElementById("info").innerHTML = clip.baseUrl + "/" + clip.url;
        }
      }
    });
  };
  // ]]>
  </script>

<div id="player"></div>

</body>
</html>

sectimestamp.php has just this line in it:

<?php
echo time();
?>

then you need to write your .htaccess file as follows and place it in your "secure" folder or wherever the videos are being kept:

RewriteEngine on


RewriteRule ^(.*)/(.*)/(.*)$ video.php?h=$1&t=$2&v=$3

RewriteRule ^$ - [F]
RewriteRule ^[^/]+\.(flv|mp4)$ - [F]

next step is your video.php file which is in the same directory as your .htaccess (you can put it elsewhere just adjust the url in the .htaccess

<?php
$hash = $_GET['h'];
$streamname = $_GET['v'];
$timestamp = $_GET['t'];
$current = time();
$token = 'kljaslidilhal9023402'; // I recommend a dynamic token to be generated using something like mt_rand() function
$checkhash = md5($token . '/' . $streamname . $timestamp);

if (($current - $timestamp) <= 2 && ($checkhash == $hash)) {
  $fsize = filesize($streamname);
  header('Content-Disposition: attachment; filename="' . $streamname . '"');
  if (strrchr($streamname, '.') == '.mp4') {
    header('Content-Type: video/mp4');
  } else {
    header('Content-Type: video/x-flv');
  }
  header('Content-Length: ' . $fsize);
  session_cache_limiter('nocache');
  header('Expires: Thu, 19 Nov 1981 08:52:00 GMT');
  header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
  header('Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0');
  header('Pragma: no-cache');
  $file = fopen($streamname, 'rb');
  print(fread($file, $fsize));
  fclose($file);
  exit;
} else {
  header('Location: /secure');
}

?>

This is the validation part where the token is checked against the stream to make sure that it's not more than 2seconds old - otherwise you will have to refresh the page and request a new token.

Now what all this does is if you try to access url.com/secure/trailer.flv you wont be able to thanks to .htaccess (download managers wont work either). But you'll be able to stream that location thanks to the php info to url.com/video.html and the source in the FLV file will look like url.com/md5hashtimestamp/md5hashstreamname/md5hashtimestamp/trailer.flv. So it'll be very hard to rip the stream from the flash file directly because that URL doesnt exit; you can't visit the site directly at url.com/secure/trailer.flv thanks to .htaccess; and finally only option is screen capture / software that records while streaming.

So it's not 100% secure but it does make things difficult for the end user - and best of all it's free