protecting videos from being stolen in browser

Question

1.00/5 (1 vote)

See more:

Below i logic i am trying to prevent video from being stole but i got stuck some where.

i created a page index.php

XML

<?php
    session_start();
    $_SESSION["check"]="aaa";
?>
<video width="320" height="240" controls>
    <source src="video.php" type="video/mp4">
</video>

and video.php

PHP

$file = "a.mp4";
    $file_size = filesize($file);
    $fp = fopen($file, "rb");
    $data = fread ($fp, $file_size);
    fclose($fp);
    header ("Content-type: video/mp4");

    if(md5($_SESSION["check"])=="aaa"){
       echo $data;
    }else{

    }

but i want when user open video.php he should simply get some message or error but not videos
as user can get value of session on video.php
he still is able to see and save video any way to pervent this

Posted 10-Dec-13 22:49pm

garav kumar mishra

Add a Solution

Comments

enhzflep 11-Dec-13 6:12am

At a quick glance.

1) Put the videos in a folder outside the server-root (user cant enter direct address of video)
2) Use php to fetch them from here (non-authenticated users cant get the page that retrieves the video)
3) Use flash's DRM

This won't stop screen-recordings, but will make the downloaded data useless to anything but the flash video player. 3dBuzz.com changed their system a few years ago when I used to visit to something like this. No idea if its since changed.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Er. Tushar Srivastava · Answer 1 · 2013-12-16T05:38:00

Solution 1

Hi Friend,
Try This.... I was moved by your question and I dived into the deep ocean of coding and I took out this beautiful pearl for you. Tell me if it worked for you as per your requirement or not. Also, do rate my answer. Happy Coding :)

Here's my solution.. this is what I call two layer security and is unbreakable (according to me)... Try it...

PHP

<?php
/**
 * index.php - The Entry File
**/

// Start the session
session_start();
// It is really important to regenerate id on every click...
session_regenerate_id();

// We will tell the next file that we have a token set using session
$_SSEION['setToken'] = true;

// The filename... You can get that from a $_GET variable and store it here
$token = "vid.mp4";

// We will be encrypting the video name using session id as key ans AES128 as the algorithm
$token_encrypted = openssl_encrypt($token, "aes128", session_id());

?>

<video width="320" height="240" controls="">
  <source src="video.php?vid=<?php echo $token_encrypted; ?>">
</source></video>

PHP

<?php
/**
 * video.php - The First Entry Point
**/

session_start();
// Get Token
$token = $_GET['vid'];
// Get Current Session ID
$prev= session_id();
// Test the session variable token is set
if(isset($_SESSION['setToken']))
{
  // This was a one time token and this is your security
  unset($_SESSION['setToken']);
  // Now we will re-encrypt the token
  $token = openssl_decrypt($token, "aes128", session_id());
  // Now Regenerate the session id
  session_regenerate_id();
  // Now re-encrypt the token with a key combination of both new and old ids
  $token = openssl_encrypt($token, "aes128", $prev.session_id());
}
else
{
  // If token was not matched, we have changed the id therefore the next script will not be able to decrypt the token
  session_regenerate_id(true);
}
header("Location: access.php?id=".$prev."&vid=".$token);
?>

PHP

/**
 * access.php - The main serving file which will server the video
**/
session_start();

// Decrypt the Token to get back the video file name
$token = openssl_decrypt($_GET['vid'], "aes128", $_GET['id'].session_id());

// Check if file exists
if(file_exists("videos/".$token))
{
  // Another important point here is a session id regeneration
  session_regenerate_id(true);  

  $file = $token;
  $file_size = filesize($file);
  $file_pointer = fopen($file, "rb");
  $data = fread($file_pointer, $file_size);
  header("Content-type: video/mp4");

  echo $data;
}
else {
  echo "Error: File Does not exists";
}

I hope that this complete example will help you attain the results you want to achieve. And Thank you very much for such a nice riddle.

With Regards
Tushar Srivastava

Posted 16-Dec-13 5:38am

Er. Tushar Srivastava

Updated 26-Jan-14 0:13am

v4

Comments

BobJanova 16-Dec-13 11:50am

The user can watch browser traffic (e.g. through Chrome's F12), stop the initial request to video.php, and go direct to access.php with the VID token in the initial page. Additionally, the user can record the response to the request to access.php and save it.

Er. Tushar Srivastava 16-Dec-13 12:40pm

All Right... There is another solution then... Do one thing... in the if condition in video.php... decrypt the token, regenrate the session id and use new session id to re-encrypt the token and send it to access.php Now, is the problem solved? :)

BobJanova 16-Dec-13 13:36pm

Nearly but no. The user can still record the response and save it, or block the initial request to video.php and then submit it manually.

Er. Tushar Srivastava 16-Dec-13 14:12pm

Alright... Logically Correct.... Fine, I need time but I will make an unbreakable code :) :) :)

Er. Tushar Srivastava 16-Dec-13 12:51pm

Have a look at the code now, I have updated my code....

garav kumar mishra 18-Dec-13 12:57pm

ok that is fine.
But when user press ctrl+s in firefox vidoe gets downloaded.

where as in chrome no vidoe gets downloaded. ??

Er. Tushar Srivastava 19-Dec-13 13:12pm

Actually The Video Tag in HTML5 has this issue.... I would recommend you to to use either flash player or some other player maybe written in Java like jwPlayer ..... Best of Luck

garav kumar mishra 24-Jan-14 14:19pm

i recently discovered bug open browser click view source.
you will get link of video as

http://localhost/test/access.php?id=2hmekb383qv3k8cpn45eep2u60&vid=kXjCRz4E8PLe2Ztq7loJAg==

when u open this link in browser u can still watch video and can be downloaded also

Er. Tushar Srivastava 26-Jan-14 6:11am

Logically, if the page is loaded successfully in browser, the first request has been made by video tag and thus.... the given link should no longer be valid.... :/ i.e. if the user will click on the generated link, he will no longer be able to request the same file again :/ (it was a one time token link).... Please do review the code if I had missed some check... :)

garav kumar mishra 26-Jan-14 14:05pm

no basically what happens is when u click view source of page directly like
view-source:localhost.com/video/ then u can get url of access page and this works

Er. Tushar Srivastava 27-Jan-14 3:05am

I guess, I have understood the problem.... :/ Well the solution can not be much difficult if we use javaScript or jQuery (a library in javaScript). What can be done, is use AJAX to get the jSon encoded url and then replace that with the dummy url in the video Tag.... :) moreover, the jScript can generate a token which will be scrambled so that no user can use that token to directly request to video.php :) That can be a lot of client side programming in javaScript though... Best of Luck :)

garav kumar mishra 29-Jan-14 10:45am

what i see when i play video idm(Internet Download Manager) is able to grab video and video gets downloaded.

there is site
http://cmsdemosite.net/index.php/concrete5-addons/secure-streaming-addon/
here vidoe does not gets downloaded via IDM how this can be achieved ?

Member 13929183 31-Jul-18 13:30pm

Tushar Srivastava,

I am newbie to php. Can you please tell me how I do add my video file to your script.

For explame if I want to play this url : https://www.sample-videos.com/video/mp4/720/big_buck_bunny_720p_1mb.mp4

On which .php I need to add it??

I tired my best to understand but I end up with error "Error: File Does not exists"

Any help appreciated.

Thank you

Er. Tushar Srivastava 1-Aug-18 7:40am

Hi,

In "access.php" there's an if-else condition. In that condition (file_exists(...)) is used. This is used only to check if the file exist in filesystem (not from URL). So, you need to change that function to if(@fopen("https://www.sample-videos.com/video/mp4/720/big_buck_bunny_720p_1mb.mp4","r")==true) {} and it should work.

Best of luck.

Member 13929183 1-Aug-18 8:22am

<?php
/**
* access.php - The main serving file which will server the video
**/
session_start();

// Decrypt the Token to get back the video file name
$token = openssl_decrypt($_GET['vid'], "aes128", $_GET['id'].session_id());

// Check if file exists
if(@fopen("https://www.sample-videos.com/video/mp4/720/big_buck_bunny_720p_1mb.mp4","r")==true)

{
// Another important point here is a session id regeneration
session_regenerate_id(true);

$file = $token;
$file_size = filesize($file);
$file_pointer = fopen($file, "rb");
$data = fread($file_pointer, $file_size);
header("Content-type: video/mp4");

echo $data;
}
else {
echo "Error: File Does not exists";
}
?>;

Do I missing anything.. Still the video wont play..

I need your help on this.

Thank you

Member 13929183 5-Aug-18 15:40pm

Please help me on this issue with your complete script using URL