Update: This is now a tutorial on how to give some level of security to streaming videos if:
1) you are using Flowplayer with Apache
2) you don't want users to be able to download the video (streaming only)
3) you don't want users to be able to put the URL of the video in the browser (limited access videos)
4) you only want users to be able to stream the video if they have the proper credentials
You must have prior knowledge of PHP and .htaccess files.
Original Post:
My client wants his videos hidden so that they cannot be streamed until they are purchased on his domain (he doesn't want users to be able to download the video either). I'm trying to do this with Flowplayer's Secure Streaming and I think I'm almost there 9I'm there now!). After searching everywhere I found this post.
I've restricted hot-linking by other sites via .htaccess now I'm trying to restrict access by someone just copying the url and pasting it in the address bar (i.e. http://www.mydomain.com/videos/testVideo.mov)
I've used PHP/AJAX to generate this HTML (most examples out there use the JS Flowplayer Plugin, I'm using the <object> tag to embed the player, no JS involved. If you use the JS plugin, use that instead of the embedded version, the .htaccess file and the video.php file will be the same.)
$videofilename = 'testVideo.mov';
$hash = md5('1234');
$timestamp = time();
$videoPath = $hash.'/'.$timestamp.'/'.$videofilename;
echo '
<object width="667" height="375" type="application/x-shockwave-flash" data="http://releases.flowplayer.org/swf/flowplayer-3.2.8.swf">
<param name="wmode" value="transparent"/>
<param name="movie" value="../swf/flowplayer.securestreaming-3.2.8.swf" />
<param name="allowfullscreen" value="true" />
<param name="timestamp" value="'.$timestamp.'" />
<param name="token" value="'.$hash.'" />
<param name="streamName" value="'.$videofilename.'" />
<param name="flashvars" value=\'config={
"playlist":[
{"url": "'.$videoPath.'", "baseUrl": "http://www.mydomain.com/videos", "autoPlay":false,"autoBuffering":true,"bufferLength":5}
]
}\' />
</object>';
Now in the directory videos I put this .htaccess file:
RewriteEngine on
RewriteRule ^(.*)/(.*)/(.*)$ http://www.mydomain.com/vidoeos/video.php?h=$1&t=$2&v=$3
RewriteRule ^$ - [F]
RewriteRule ^[^/]+\.(mov|mp4)$ - [F]
Update:
The purpose of the php file is to 1) get the data hash, timestamp, and video filename (test.mov or whatever) 2) Make sure everything checks out (I purposely ommitted the security checks in this example for length) and 3) Give Flowplayer the stream of your video. Make sure the $originaltimestamp and $hash are good before giving access. You may also check session credentials, get the 'real' file location from a database, or do any kind of php security checking you want before you give the user access.
Also remember to change the Content-type: field so it correlates with the correct file extension (i.e. video/mp4 if the video is an *.mp4)
And videos/video.php looks like this:
<?php
session_start();
$hash = $_GET['h'];
$streamname = $_GET['v'];
$originaltimestamp = $_GET['t'];
header('Content-Description: File Transfer');
header('Content-type: video/quicktime');
header("Content-length: " . filesize($streamname));
header("Expires: 0");
header("Content-Transfer-Encoding: binary");
$file = fopen($streamname, 'r');
echo stream_get_contents($file);
fclose($file);
?>
Three files total, the HTML with the player, the .htaccess file and lastly the video.php file. My original problem was the $streamname was wrong. Remember the $streamname should be the file location after (or under) the BaseUrl. Hope this helps someone like me!
Anyone see security issues with doing it this way?
