如何防止人们在不登录的情况下访问源视频？

Question

I am trying to make a login that would give you access to some videos, pictures, and other files. I can do this with php and a get request ( www.example.com/foo?video1 ) and making sure they have a cookie of some sort, but I am unsure how to prevent someone from just typing in the link of the source files ( www.example.com/videos/video1.mp4 ). I need away to prevent people from accessing the source files.

System:

• macOS Sierra 10.12.6

• Apache

Thanks, Josh

Answer 1

Put the source files in some directory that is not public, or use an HTAccess. Then, use file_get_contents() and echo to spit out the video. It might look something like this:

getvideo.php?video=test

    <?php
if($_SESSION["username"]!==null)//whatever auth mechanism
{
if(file_exists("videos/".  str_replace( [ '\\', '.', '/'], '', $_GET["video"] ). ".mp4"))
{
header("Content-Type: video/mp4");
readfile("videos/".  str_replace( [ '\\', '.', '/'], '', $_GET["video"] ). ".mp4");
}

else
{
header("HTTP/1.1 404 Not Found");
}
}
else
{
header("HTTP/1.1 401 Unauthorized");
}
exit;
?>

Answer 2

Here's an idea if you're using Apache.

Make sure the Rewrite module is turned on.

Create a .htaccess file in your videos directory with the following content:

RewriteEngine On

RewriteRule . video.php?video=$1

Now, create a file named video.php with something like this:

<?php
/**
 * require your login / db files here
 * and check if the user is logged in,
 * if it isn't redirect back or whatever you need
 */

$video = $_GET['video'];
$video = str_replace('..', '', $video); // prevent ../../file 

if (file_exists($video)) {
    header('Content-type: ' . mime_content_type($video));
    echo file_get_contents($video);
} else {
    // 404...
}

Now you can call yoursite.com/videos/video.mp4 and place your video files in the videos directory.