I'm building a web-radio like service, in which the user authenticates to the services, gets a cookie and a Flash-based app plays mp3s from the server. The server only delivers if the client is allowed for that particular mp3.
If a user opens a HTTP logger (like FireBug), he can see the files being downloaded by flash. If he opens the mp3 URL directly via the address bar, he can easily download the MP3, although the URLs are not guessable by the user.
I'm looking for a safe system to prevent the user from downloading the MP3 directly to his system. I have examined last.fm, as they use a similar setup, and somehow they prevent it.
In the end, you're not going to be able to stop someone who's determined. However, you can at least make it difficult.
There are several options involving referrer checks, authentication, and fun stuff like that. But probably the most successful anti-downloading check I've seen was one that works like this:
The user indicates that he wants to stream a file; the app makes an authenticated, encrypted request indicating his desired action. The result is a one-use-only and time-limited URL that is recognized by whatever application or CDN is hosting the file. After the URL is used once (i.e. by the flash app) it then expires and can never be used again. If the streaming does not start within a given amount of time (several seconds), the URL likewise expires. Obviously the URL given does not directly correspond to the file name, but is instead authenticated, decoded, and translated server-side.
It's still not impossible to work around, but it's fairly difficult.
You might use RTMP instead of HTTP to deliver audio data. RTMP is meant to be used for streaming audio, video and misc data. It streams just data rather than a file. It's not 100% safe, because if something gets to client (browser, flash player, whatever), user can save it, but it's still better than giving a file via HTTP.
You will need a server that supports RTMP though, e.g., Flash Media Server (FMS), Wowza or Red5.
Related
I have a bucket with files in it in AS3. I have access to the PHP API and a server that can send requests to Amazon on command.
What I want to do is grant access to a file in my bucket using an HTTP GET/POST request. From what I understand using this function:
get_object_url ( $bucket, $filename, $preauth, $opt )
I can make the file publicly accessible for the $preauth amount of time at a given URL. I don't want to do that, I want the file to be privately available at a URL with required POST or GET credentials (deciding who can access the file would be based on a database containing application 'users' and their permissions). I understand the security implications of passing any kind of credentials over GET or POST on a non-HTTPS connection.
Is this possible? I could just download the file from AS3 to my server for the extent of the transaction then do all the controls on my own box, but that's an expensive solution (two file downloads instead of one, when my server shouldn't have had to do a download at all) to a seemingly easy problem.
The short answer is no.
You could look at Amazons IAM for some more ways to secure the content especially in conjunction with Cloudfront but essentially there is no way to provide access to content by passing along a username and password.
Of course, if you are already authenticating users on your site, then you can only supply the signed url to those users. The url only has to be valid at the time the user initiates the download and not for the entire duration of the download.
Also, if you intend to use your server as a proxy between S3 and the user you'll be removing a lot of the benefits of using S3 in the first place. But you could use EC2 as the server to remove the extra cost you mentioned - transfers between S3 and EC2 are free.
I'm using loadVars to load a PHP URL with lots of sensitive information required for the Flash application. Only problem is that URL can be accessed via a web browser which raises security issues if someone gets a hold of this URL. Is it possible to have the PHP page only accessible via my Flash application?
Appreciate the help!
Thanks
No, there is no way to limit a page to a specific app, browser or user agent, since all of those things can be mimicked. If you are passing around sensitive information then you need to do authentication and use encrypted data transfer (HTTPS).
Regardless of how you attempt to make it only accessible from your Flash application, a determined user will certainly be able to view the page also. It can be as simple as proxying the requests through an HTTP proxy like Charles, Firebug or Wireshark.
There are things that can be done to make it more difficult to figure out what the data is from viewing the page directly. For instance, you can encrypt the data or output it as binary. But since SWF is an open sourced format, users can use decompilers or just inspect the ABC (Actionscript Byte Code) to see what is really going on.
The short answer is NO, you cannot protect the information available to the client side (Flash) from being accessible from other clients.
As long as you have a page on HTTP, a determined user can always find a way around any user-agent restrictions imposed by you.
One way to protect the data (other than using HTTPS) is to encrypt it at the server, send it over HTTP and then decrypt it in Flash using as3Crypto or some other cryptography library.
Hope this helps,
I am creating a google-chrome application that will download songs from an octet stream, however due to JavaScript restrictions, I cannot create a "download" button. The user must right click and select save file as. I wish to create a php page that will redirect the browser to the location of the octet stream, which will be on a different site, and then create a download dialog there. I know there are probably security restrictions here, but is it possible to have a php page redirect and set the content disposition headers of that page it is redirecting to?
Note: I cannot get the octet stream from my server to save because the host I am using does not support php calls to external sites.
The download dialog (content-disposition header) has to be produced by the other site. There's no way around it, because browsers will only believe headers from the same server. If the other site doesn't produce the desired headers, and if you don't own the other site, there's nothing you can do about it.
You might write a PHP script which accesses the other site on behalf of the user, downloads the octet stream to the server first, and then sends it to the user with the desired headers. In other words, your script would act as a proxy server. Look into the curl module if interested. But this will cause your server's bandwidth to skyrocket, and there may also be problems with copyright.
I'm making a members area for my site and I have it already running. I authenticate members using mysql and php and this works really well.
But now problems occurs, I would like to offer members a possibility to upload files to the systems, and those files should be available ONLY to logged in members.
I know I could store those files to a database or even in a filesystem and serve them throught php, BUT this will get very heavy for the server when members upload bigger files. Those files might be even 20MB or even bigger.
I would like to let apache serve the files, but just need to find a way to automatically do the http authentication, so users wouldn't need to log in twice. I suppose it is ok to make this http authentication behind one username and password, something like when a user logs in to the php and mysql authentication, transparently at the same time javascript etc. would do that http authentication also, every member would do the http authentication with the same credentials. Of course I wouldn't want to store those http auth credentials in a javascript file, but something ajax like solution maybe would do the trick. I'm just not sure how to do this.
It seems like you are confusing authentication (where you provide some way to login) with HTTP authentication (where you specifically use the HTTP protocol to authenticate, and the browser shows a popup to the user).
You probably want the former so you can style the login page. In that case you'll have to use PHP or some scripting langauge to check that the user is logged in. fpassthru or readfile can be good solutions for some web sites; they're fast and optimised for this type of work.
If you really want to do the file handling work in the web browser and not in PHP, one solution can be to create unique, short-lived filenames. You can for example create hard links to the file in PHP using link and then redirect the user to the temporary filename. Store the hard links in a database and remove them after a short while.
Check out Using PHP/Apache to restrict access to static files (html, css, img, etc). I think the approach taken there is pretty similar to your problem.
I need help finding resources that would help me or at least point me in the right direction in building a Flash media server/PHP application. I basically want to improve my current application by instead of progressive download using flash media server so that the videos will not only stream well but they can't be downloaded by the end user.
What the current application does is show a login form on the homepage and then when logged in the user can then navigate the site by choosing videos from a particular video category or video uploaded by a specific user. All this is done with PHP. The video page uses progressive download to display the video after the video ID has been passed using PHP.
I need to know how PHP and flash media server work together. Are there any resources out there where I can find a good application example (really simple) that demonstrates how PHP and flash media server can be used to stream videos dynamically such that PHP checks for the login, video ID, video channels, and video category information while the flash media server streams the video.
Really, PHP and FMS shouldn't be talking at all. It can be done within FMS, but a much easier approach is to let your Flash Player (which you'll have to have anyway) do the talking to FMS. Flash to FMS communication is well documented and very easy. Just have the PHP call forth a Flash video player with whatever info you need. It would probably be eaiser to have PHP authenticate and give the Flash some sort of authentication token if you're really worried about security.
Just so you know though, just because your media is streaming doesn't mean someone can't download it. There's several tools to rip streamed media out there. It is of course more secure, but it's not full-proof.
You may want to try Red5 instead of Flash Media Server. I've use Flash Media Server in the past and it can be a pain to take care of. With Red5 you at least have more flexibility and it is free. If you go down the Red5 path you will find more people customizing it like this one time ticket for Red5 post. I believe that is very close to what you are looking for.
The biggest problem with PHP and Flash (mediaserver) is the different "flow" of code.
PHP is straightforward:
Start request, do something, send response. Done.
Flashmedia only loads (compiles) your code when a client connects, and then only events are triggered. Most operations do not return, but need a callback.
Load application.. wait for something.. Event launched: do something, fire off another request together with a response handler object.. etc.
I have build an extensive chatservice with FlashMedia server and PHP as front and back-end.
The front-end is simple: just plain PHP/HTML-pages which will eventually create an <OBJECT>-tag loading some Flash applet.
That flash applet should connect to the Flash media server using information/credentials passed to it with the FlashVars-option or loaded (generated) XML-data from a separate URL.
From that point, the Flash applet (client) does it's thing with the Flashmedia server.
For this example, you want to verify credentials from the Mediaserver. You should use the AMFPHP framework for that.
AMFPHP is a replacement for Macromedia's "Flash Remoting" system where Flash [applets/servlets] can do asynchronious communications over HTTP.
For the AMFPHP-framework you write an interface class wrapping your credential-validation code. There is a test-page which validated the response of your wrapper.
(The AMFPHP Framework can also generate AS2 sample code so you have an idea how the Flashmedia server should send an request and handle responses.)
A warning: AMFPHP uses POSTs to send
and retrieve data. In the past,
there were problems when more than
2k of data was truncated. I now only
use it for relative short messages.
AMFPHP is very reliable. You can use it to do external logging for example.
Using flash media server so that the
videos will not only stream well but
they can't be downloaded by the end
user
This won't really work. It make make it "harder" for some people in the same way that not putting a big, huge "download here" button makes it "harder", but the content is still being downloaded to their computer, just in a different way. Anything that's downloaded can be saved to the disk.
I am doing similar thing. First, for authentication, you can use FMS's authentication plug-in. Of course, you can make your own stuff in PHP. Instead of adding PHP into FMS's original Apache, I decided to run XAMPP in parallel, with different port of course.
To start and stop the encoder, you can make use of FMLEcmd command.
My environment:
Flash Media Development Server 3.5
Flash Media Live Encoder 3.1
XAMPP (at port 8080)