Flowplayer Anti-leeching

According to the documentation:

FlowPlayer can use authentication codes to protect against inline linking of video and image files. Inline linking is also known as hotlinking or direct linking. To implement this in your site you need to use a server side script/app that generates these authentication codes and stores them into a file called flowplayer_auth.txt. The player reads the contents of this file just before a protected clip is loaded and concatenates the contents to clip's file name.

So if the code stored in the authentication file is 'asdfln83yrojfalu3rl' and the clip's url is 'cars.flv' the player requests a file called 'asdfln83yrojfalu3rlcars.flv' from the server.

For this scheme to be effective the authentication code should change periodically (for example once in a minute). Additionally the server script/app needs to verify whether the incoming request contains a valid code and only serve the file if the code is valid.

I could not find any good references online on how to actually implement this, so I figured I'd steal from myself and copy some work I had done earlier to watermark the images on my web site. The basic idea was as follows... Create a php handler for all .flv files in a directory and use .htaccess to rewrite the requests to it. This php file would do the check against the auth code as well as updating it, at minimum, every 60 seconds.

The .htaccess file

Here is the .htaccess file I created for the directory where the flv files and the Flowplayer script are located

Options +FollowSymlinks
RewriteEngine on
RewriteRule .*\.flv$ /public/flowplayer/flvloader.php?pathinfo=%{REQUEST_URI}

This simply takes any requests for .flv files and passes the file URL as a parameter to the flvloader script.

The flvloader.php file

Here is the handler file:

//get actual file called for
$path_parts = pathinfo($_GET['pathinfo']);
$file = $path_parts['basename'];

//name of authorization file must match the setting in flowplayer
$authfile="flowplayer_auth.txt";
//seconds to reset the auth code
$stale=60;

//check if authfile exists and the change date
if (file_exists($authfile)) {
  $expired=filemtime($authfile)+$stale;
} else
{
  header("HTTP/1.0 404 Not Found");
  exit();
}

//read auth code from file and rehash it to a new code if expired
$handle = @fopen($authfile, "r+");
if ($handle) {
   $code = fgets($handle);
   if (time()>$expired) {
     rewind($handle);
     fwrite($handle, md5($code));
   }
   fclose($handle);
} else
{
  header("HTTP/1.0 404 Not Found");
  exit();
}

//check authcode matches file and if so set the name to the real file otherwise 404
if (is_numeric(strpos($file,$code)))
{
  $file_real = substr($file,strlen($code),strlen($file)-strlen($code));
} else
{
  header("HTTP/1.0 404 Not Found");
  exit();
}

//send file or 404 if not found.
if (file_exists($file_real))
{
  header("Content-Type: video/x-flv");  
  header("Accept-Ranges: bytes");  
  header("Content-Length: ".filesize($file_real));  
  header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
  header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past  
  @readfile($file_real);
} else
{
  header("HTTP/1.0 404 Not Found");
}

This simply checks how old the auth code file is, and updates the code with a hash of itself (for the next load) if the stale value has been exceeded. Note that the web server process bust be able to read/write the auth file.

The authorization code then checks if the code string in the authorization file is in the the filename passed by the Flowplayer script. If so it strips it off and returns the file (if it exists). It sets up some of the header attributes of the file: the mime type, the length and flags it as not-cacheable.

Embedding it on the page here

Just so you have the complete package, here is the syntax of the called Flowplayer object I used.

< object type="application/x-shockwave-flash" data="/blog/uploads/video/FlowPlayer.swf" 
  width="320" height="263" id="FlowPlayer">
  < param name="allowScriptAccess" value="sameDomain" />
  < param name="movie" value="/blog/uploads/video/FlowPlayer.swf" />
  < param name="quality" value="high" />
  < param name="scale" value="noScale" />
  < param name="wmode" value="transparent" />
  < param name="flashvars" value="config=
    {	
      authFileName: '/blog/uploads/video/flowplayer_auth.txt',
      baseURL: '/blog/uploads/video',
      playList: [  
        { url: 'play.jpg', controlEnabled: false},
        { url: 'barsandtone.flv', protected: true},
        { url: 'play.jpg', controlEnabled: false, duration: 1}
      ],  
      loop: false, showMenu: false, noVideoClip: { url: 'clipna.jpg' }
    }" 
  />
< /object>

Pretty simple. Because of the way my blog performs URL translation, I had to provide some full path information to the player. Additionally, as I wanted a "click to play" displayed at the start, I used it once as a still, then again at the end of the playlist. This let the playlist rewind itself and be ready for another click to play the video. The only problem I have is with browser caching. Sometimes the Flowplayer gets cached and uses an expired authorization code. This could be minimized by changing the authorization code expiration time, if desired.

Security

This method will not stop a person from downloading the flv file but it does a good job of stoping an external site from hotlinking directly to the flv file, or even from hotlinking to the Flowplayer object and running it off your site (eating up your bandwidth). Here is a direct link to the flv file barsandtone.flv that will NOT return the flv file because of the htaccess handler.

That's it! If you found this useful or have any comments, as always, use the form.