We have an asp script that allows users to view videos through a flash player.
The path of where our media files are located is shown if you "view source". I don't think there is anyway we can hide the path as the the asp page uses java script for the flash player.
Is it possible to prevent users from downloading files directly from our webserver, but at the same time only allow the source script to access the files?
With youtube, if you view source their pages, you can also see the path of where their files are stored. They are also downloadable if you use their getfile.php link. Is there no way for a person to prevent downloading of their files but allow source script acces, or does youtube actually set up their servers like this on purpose?
I've tried setting hidden permissions on the files, disabling read, or using the ../ method. Although this disables downloading, it also disables our script from accessing the file.
Does anyone have any suggestions? Thanks in advance
The way I normally approach a problem like this is to create a repository for my files (in this case videos) that is out of the reach of the end user's browser, perhaps placing them in a directory above the wwwroot directory (if you're using IIS, which I assume more than likely you are). Then I create a small script that is able to read the data from a file in that repository, and serve it. This way, instead of directly serving the data, the file that reads from the directory can deny access to it based on interface or other information.
If that makes any sense to you, I hope it helps, if not, I'll try and come up with a less complicated way to explain the theory.
The best thing I can think to do is as tonten said, have a script that reads the file based on a variable input and outputs it, but have the file IDs as one-use-only.
After the file is downloaded once (by the flash player) the ID/key/filename is removed and serve up a 404 from this script.
Also, you should check the referer, if the referer isn't your site then it would mean the user could have copied the URL and based it in thier Address bar.. or worce yet some fool is hot linking to your content!
This is still easy to work around though..
The fact of the mater is if a user is going to watch it there will be a way for them to rip it out and save it. There are ways of making it more trouble than its worth, IE DRM and formats like .ra from Real Networks. DRM is Ugly-*** though