问题
I use expiring urls to hide the urls of images I use on my sites, so that they can only be hotlinked for the duration of the life of the hash (1 hour).
I check the hash sent with the file url, against a hash on the server, if they match, the script calls the following code:
if (isset($_GET["hash"])) {
$this_min = date('Y-m-d-g',time()) . "salt" . $vid_id;
$current_hash = substr(md5($this_min),0,12);
$submitted_hash = mysql_real_escape_string($_GET["hash"]);
if ("$current_hash" == "$submitted_hash") {
$file_url2 = "directory/" . $vid_file;
header('Content-Type: application/octet-stream');
header("Content-Transfer-Encoding: Binary");
header("Content-disposition: inline; filename=\"".md5($vid_file)."\"");
readfile($file_url2);
exit;
} else {
$_SESSION["message"] = "Download link expired, refresh the page and try again";
$_SESSION["message_type"] = 0;
header("Location:" . $_SERVER['HTTP_REFERER']);
exit;
}
}
I use this in an tag (for example, <img src="index.php?id=123&hash=ew6rg5reg4">and it works perfectly. If the image is hotlinked, it will stop working when the hash changes, every hour (or minute if necessary). Unfortunately, this same method doesn't work when I use it to load .flv files into a flash player, such as the JW player . No .flv file is loaded.
Any way I can fix this or achieve the same thing with an alternate method?
回答1:
You can't really hide a downloading URL very effectively. Safari, for example, exposes all resources downloaded via the Activity window. Just look for the item that is MB in size and that's your FLV file.
The only way to keep people from ripping your FLVs is to use RTMP streaming, where they never get access to the full file.
回答2:
you can stop referrers other than your domain with htaccess fils (apache server only)
RewriteEngine On
Options +FollowSymLinks
<ifmodule mod_rewrite.c>
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule \.(gif|jpg|png|mp3|mpg|avi|mov|flv)$ - [F]
</ifmodule>
回答3:
Would be interesting to know what runtime error the player script throws ?
You may have more chances to make it work with the MIME type set to video/x-flv or flv-application/octet-stream.
回答4:
It should work fine with JW player etc, too.
Some servers, for example nginx, have modules to very efficiently do this sort of validation so you don't have to do it in PHP.
回答5:
The only way to truly limit access to flv files is to implement some king of ACL on the server where the file is located or is streamed for. I'm using Wowza Media for live video streaming and the server has implemented several mechanisms to protect your files/ streams: ACL based authentication, StreamNameAlias ...
来源:https://stackoverflow.com/questions/558653/how-do-you-hide-the-url-of-the-flv-file-in-a-flash-player