I have to build an application where users can download videos from a site but cannot share them. My first solution is to save these files in a hidden location on the users computer since one of the requirements is that the user should be able to watch the downloaded videos offline.
Please how do I go about saving a file in a location the user cannot see using php.
Thanks.
One solution is to generate token for each request for a video. That token would have its lifetime. Php script should be serving the content instead of giving direct access to resource to user. The script should check if the token is still active before serving the content.
It is up to you how to pass the token. The simplest way is to make it contained in uri.
No matter where you put your videos in your directory structure, you always send the data as a partial request. Once data is acquired by the user, it could be saved an reproduced.
There are techniques, however, to protect your video from direct download through curl, wget or other ways of download. And this is using a secure token and an expiration, passed as parameters. This way your video download window will be limited and generating the token manually would be pretty hard.
Chidiebere Onwunyirigbo, its a Great Question. One solution for your requirement is Steganography. It is the process of concealing your data (videos) behind other files (multimedia files like image, audio, video), in your case preferable would be Image Steganography. It is quite a old technology but new to many, you can get several ready tools/code for it on the internet which you can customize as per your need. From your side you have to provide the file that is already embedded inside the image for download. Only the tool coded for retrieval and rendering the hidden video can render your video. So, for this part all the users of your site have to first download this desktop application from your site for viewing the video. This will keep your videos safe on the users computer offline, because every user who takes the video will require the reverse steganography tool to be downloaded from your site. You can even embed secret info like users IP inside the Stego image along with the video and for each tool download, associate user computer's IP with the tool. If IP embedded inside Stego image matches with that of tool only then you allow to play else redirect application to get it registered. But the limitation would be that, the users will have to download your application and will be able to view videos only on your desktop application which will render the Steganographed video.
You cannot hide information on the user computer. Even if your process are running on a windows comp as SYSTEM user, a power user can take ownership of the files.
The only solution you have, are developing or using a known DRM system, for allowing only playing the video on a determined computer or another specifications (for example, if the program have the authentication token of some user).
At any case, you need to do two things for this:
- You need a custom application to play the video, if you want to check DRM.
- You need to recode / modify something on the video before download, for adding on them a code for allow only play on the destination computer or data used for authenticating DRM.
Related
I'm working on an application where I have a web interface for a screen on my wall, and the goal is to allow my friends to upload images to it.
Right now I have a basic web interface with a login, which authenticates a session and has a page which allows uploading an image and changing some of the parameters of the screen. The parameters are stored in a MySQL database, as well as the login details. This part I've heavily based off the approach detailed in this link:
https://phppot.com/php/secure-remember-me-for-login-using-php-session-and-cookies/
Ideally I can allow my friends to upload images to this screen in a secure way that is as simple as possible. What I am imagining is a unique URL link that can be sent to them, which takes them to a page where they can upload an image but do not have access to change any of the screen parameters and so on. This URL would allow anyone who has it to upload pictures, but I want the owner of the screen to also be able to deactivate the URL if it is no longer secure. The owner could ideally generate a number of URLs that they could share with different people, which would all upload to the same screen.
My question is firstly, is this a good approach and is there a way to do this securely (without opening access to the screen parameters and so on)? I would prefer to avoid giving these "guest" users login details, as that is one more account to remember and reduces the simplicity of uploading to the screen.
My next question would be how to do it? My current idea is to have a new database with columns for the screen ID (to allow it to work when I have multiple screens) and link URL. The screen owner would generate some kind of random string as the URL and save it to the database. The "guest" upload page would only allow uploads if the redirected URL is found in the database. Right now I'm looking at affiliate link examples to get ideas on how to implement this, but if anyone has better suggestions of what to search for or other examples it would help a lot.
I'm very new to web development so I'm not sure if I'm describing my approach clear enough or if my goal even makes sense. I'm also very uncertain of any possible security issues I may be introducing with this approach, so anyone has suggestions or possible pitfalls please let me know. I don't know how much I don't know.
You can use Tokens :
generating tokens with php
You generate an URL with the token inside then send it to your friends:
www.myULR/token
After, you create a table token with all tokens with a jointure with user's id,
and you should easily verify with PHP, if tokens exist and user is not an impostor, allow him to upload files.
When I go to the url of my bucket file it downloads straight away. However I only want users that are logged into my application to have access to these files.
I have been searching for hours but cannot find out how to do this in php from my app. I am using laravel to do this so the code may not look familiar. But essentially it just generates the url to my bucket file and then redirect to that link which downloads it
$url = Storage::url('Shoots/2016/06/first video shoot/videos/high.mp4');
return redirect($url);
How can i make this file only accessible for users logged into my application?
We ran into a similar issue for an application I'm working on. The solution we ended up working with is generating S3 signed URLS, that have short expiration times on them. This allows us to generate a new signed link with every request to the web server, pass that link to our known auth'd user, who then has access for a very limited amount of time, (a few seconds). In the case of images we wanted to display in the DOM, we had our API respond with an HTTP 303 (See Other) header and the signed URL, that expired with-in a couple of second. This allowed the browser time to download the image and display it before the link expired.
A couple of risks around this solution: We know a user could possibly request a signed URL and share it with another service before the expiration happens programmatically, or an un-auth'd user who was intercepting network traffic could potentially intercept the request and make it themselves, we felt these were edge case enough that we were comfortable with our solution.
How can I embed a video in a website with html/php, so it can't be downloaded by a visitor? The visitor can just view the video but can't download it.
If you are trying to stop someone 'stealing' the video then at the end of the day you can't - if the video plays on the users browser then it has to pass from the server to the users machine and a malicious user can capture it one way or another.
If you mean that you just want to default action to be that the video plays back rather than downloads, then using the standard HTML5 tag in the default way will provide this behaviour.
Assuming it is the 'stealing' case you are worried about then DRM is the technology most often used to address this concern - this encrypts the video so that someone copying it will not be able to play it back without the correct key. How you manage the keys is obviously critical but most of the common DRM providers will have established ways to securely manage the keys. The technology is quite complex so using a hosted video service which supports DRM might be an approach to consider (e.g. https://support.brightcove.com/en/video-cloud/docs/content-protection-drm or http://corp.kaltura.com/Products/Features/DRM).
In your situation, right-click protection can make sense. This feature protects your video from unwanted downloads and works on any website. It blocks downloading on right mouse click and restricts accessing the file’s original source code. Optionaly, you can add a text or link to be shown on right mouse click that directs people to your website when they try to download your video. Learn more here
I need to know a method to upload a video to a VIMEO PRO account using a form and PHP (to get auth). Currently I can send a video directly to Vimeo, using the panel, as was to be expected. But I have some clients that want to upload your videos directly from my their control panel (created by me), outside of vimeo, and I have only a unique PRO account, and I can't share the account data.
Seems that I can do it, based on the page API https://developer.vimeo.com/apis/advanced/upload#post (Uploading via POST).
My doubts are:
Can I really do that, without pass to my clients the Vimeo PRO account data?
It's a secure method (considering that clients respect the agreement with Vimeo)?
I need to upload DIRECTLY to Vimeo, without pass to my server, because I'll have two works: one to upload to server, other to upload from server to vimeo.
Off-topic: I believe I will not have problems with Vimeo, since they are customers of one company, and the account belongs to the company, and the videos will be her responsibility.
How should work
User access my panel, with your credentials;
User access the video upload page;
Probably the server will contact Vimeo to get an uploader auth;
User will select your vimeo file and submit form;
System will receive the vimeo ID and everyone will be happy forever.
Thanks!
Edit: This feature is now supported by Vimeo's (in beta) API3. You can request access at https://vimeo.com/help/contact
The below information is still accurate in regards to the Advanced API
This feature is not reliably supported by the advanced api.
The primary issue is that with client side uploads, there is no way to tell the upload server what to do once the upload is complete. Additionally, there is no client side technique to find out whether the upload has completed
You might be able to cheat and have the user upload through an iframe, and have the primary page perform a verify chunks call every couple of seconds. I have not tried this, at the moment it is just a theory. If you attempt this hack, Vimeo would love to know more via their contact page https://vimeo.com/help/contact
The feature you are discussing is on the roadmap for the next version of the API, and an early imperfect version was available at their API Hackday. It might be a better idea to hold off a bit and wait for the official feature.
NOTE: This observation does NOT apply to server side uploads. Because the whole upload process is handled via code on the server, it is extremely easy to tell when an upload is complete.
Answering in 2016: Assuming you have already retrieved an access token from Vimeo (OAuth2) this is a good piece of code to help you create an upload form:
https://github.com/websemantics/vimeo-upload
This gives you the code for the form with a place to drag-drop your video file and calls the upload API:
If you're using WordPress, there is a plugin available that allows you to do just that
http://vimeography.com/add-ons/vimeography-upload/
Source: I made it :)
I'm building a MYSQL database driven website on a AWS EC2 instance. Users can submit their data and we will automatically create a web page for them. The webpage will display their submitted data including a photo. Upon original submission of the user's data, we store the photo in S3 using AWSSDKforPHP. When their information is approved by an administrator a webpage is created via a php script.
I've tried the method of generating a signed url. This however requires a expiration time. Is there a way around this? It also includes your access and secret key in the request. Not sure if that is the most secure way to do things. I'd like the method to be as secure as possible so I don't want to make the bucket public. Unless there is a way to make the stored images available only for viewing.
What's the best method to use in a situation like this? Thanks for your help!!
Basically URLs to amazon S3 buckets are s3.amazonaws/bucket_name/key_name all you need to do is make sure the content on those buckets is publicly available and that mime type for those keys is indeed image (image/jpeg or image/png)
I used this web tool to manage my site. I opend my bucket just to its ip and now i can control the restriction from the tool, for the basic viewer I gave read access only