Stealing Video Bandwidth Thieves

[roosevelt]

Hi,

I have a video website, and it hosts all the videos on the server. However, there are some websites who are stealing bandwidth by streaming video from my server on theres.

To protect the direct URL of the video files, here's what I got set up.

- The direct URL is stored in the database.

- A PHP file basically takes in the video id, fetches the direct url, and streams the contents.

So, even if the direct URL is not known, the thieves can actually just stream it by calling the php file, with the supplied ID.

Is there any way I can protect and make sure the videos are served only in my domain?

[sweetsam]

When a visitor comes to your website give them a video key that is generated unique to each user. Now set up the php video url fetcher to see if this key is present. So when they call the php script directly since the key is not there you know they are directly linking.

[roosevelt]

Nice, I like that idea. It's a quick fix, but what if people like open the website URL first making it look like a Browser request, and then calls the php script? Then the server will think it's an actual user. Is there any other way?

[Rohdekill]

personally, I'd move the files to a new directory, do new code.

Leave the script in place and have no matter what call made to it run some disgusting animal porn film...that will teach them.

[Kami-]

Hi,

You could try setting access with sessions, where if user tries to visit a video without access tehy are taken to your main webpage instead. Please ntoe this is a quick fix, and is probably exploitable with a bit of effort, but I'm still hungover to think of something better right now. :)

[sweetsam]

Nice, I like that idea. It's a quick fix, but what if people like open the website URL first making it look like a Browser request, and then calls the php script? Then the server will think it's an actual user. Is there any other way?

Not if you keep changing the key every time the page is loaded. In order to set this up have the links to videos in your pages as below...

www.site.com/video?key=HGJYKJHK234kjh234234k?id=dfsdf7dsf8sdf9sdf

Where id identifies the video and key is regenerated every time the page is reloaded. Now when a legit user clicks on a link you can check the key stored as a session or in the database. Also have a time limit on the validity of the key. That way they can not save the key. Now in order for the link to work they will have to load the page every time to get a fresh key.

[primexx]

would something like this work?

key.php: stores some random string in a variable (let's say, $key)

fetchurl.php: has a function which fetches the direct url; checks to see if $key is correct.

every_single_page.php: include both key.php and fetchurl.php, then use the function from fetchurl in this page itself. instead of passing the movie id to fetchurl.php via GET.

that way all direct calls to fetchurl won't work, and you also don't have to waste time generating random keys each time.

[sweetsam]

would something like this work?

key.php: stores some random string in a variable (let's say, $key)

fetchurl.php: has a function which fetches the direct url; checks to see if $key is correct.

every_single_page.php: include both key.php and fetchurl.php, then use the function from fetchurl in this page itself. instead of passing the movie id to fetchurl.php via GET.

that way all direct calls to fetchurl won't work, and you also don't have to waste time generating random keys each time.

This can be defeated by requesting the every_single_page.php and then scraping out the url.