How to limit live streaming page to one connection per user?

Question

I want to limit the limit users who connect to my live streaming page, such that users can't share passwords and login multiple times under the same account, from different locations.

I don't mind if one user logs in on two different devices at his home, like a computer and a Google TV, for example. This makes me think restricting based on source IP address is the right way to handle this.

The problem is that if the user logs in, and I record their IP address, and restrict them to logging in just from that IP, they can't change locations.

With HTTP, after they log in, it's connectionless, so I've lost track of if they are watching the stream from the CDN or not.

It makes me think I should use javascript on the client to disconnect the player if the user logins into another location.

This means I need to have a way to communicate to logged in clients in a reasonably scalable way.

Can you suggest an appropriate way to handle this problem? I have the feeling there must be a simple and scalable solution for this.

Answer 1

It really depends on how sensitive you are to people bypassing your access controls.

If you're ok with some people bypassing them, then you can perform access control on the client side and have the client ping the server every 60 seconds or so telling the server that it's still streaming. Then in the server, store the IP address of the user in an expiring queue. So the IP address would expire out of the queue in, say, 3 minutes if the player stops pinging the server. And by pinging the server, I mean sending a simple http GET request to keep the session open. When the user closes the client, the pings would stop and your server would expire the IP address for that client after 3 minutes. At that point the user could log in with a different IP address.

It's important to keep in mind that savvy users would be able to watch the networking events in a browser like Chrome and see where your content is being served from and easily bypass any restrictions because you have no control over the CDN itself.

If you need stricter control, you'll need to serve the content from your server. Then you'll absolutely know when a client has stopped accessing a stream.

There might be a middle ground. If you're worried about streaming speed without a CDN, you might consider taking a look at CloudFlare.com. CloudFlare is a CDN layer that sits in front of all of your http requests, even the dynamic ones. The static requests are served from the edge, like a normal CDN, but the dynamic requests are reverse proxied through CloudFlare's network, back to your server each time. If you setup your streaming requests to look like dynamic content to CloudFlare then the you would gain the potential benefit of streaming over a low latency, high bandwidth connection to the edge point while still being able to track users individually.