How can I prevent users from downloading MP3s directly

Question

I\'m building a web-radio like service, in which the user authenticates to the services, gets a cookie and a Flash-based app plays mp3s from the server. The server only deli

Answer 1

In the end, you're not going to be able to stop someone who's determined. However, you can at least make it difficult.

There are several options involving referrer checks, authentication, and fun stuff like that. But probably the most successful anti-downloading check I've seen was one that works like this:

The user indicates that he wants to stream a file; the app makes an authenticated, encrypted request indicating his desired action. The result is a one-use-only and time-limited URL that is recognized by whatever application or CDN is hosting the file. After the URL is used once (i.e. by the flash app) it then expires and can never be used again. If the streaming does not start within a given amount of time (several seconds), the URL likewise expires. Obviously the URL given does not directly correspond to the file name, but is instead authenticated, decoded, and translated server-side.

It's still not impossible to work around, but it's fairly difficult.