password protecting directories

[alley]

I created this folder that I uploaded all of my MP3 files in to share with site visitors through an online media player.

I was wondering if I could password protect the directory so that if anybody viewed the source in the player they couldn't download the files? ...or would the files not stream in the player if I password protected the directory?

 

[iBrightDev]

In the directory to be protected, create a .htaccess file with contents like this:

AuthType Basic
AuthUserFile /safe/dir/htpasswd
AuthName "Text displayed in popup"
require valid-user

To create the first and second user/password pairs, use:

htpasswd -cb /safe/dir/htpasswd user1 password1
htpasswd -b /safe/dir/htpasswd user2 PaSsWoRd2

hope that helps.

 

[alley]

I'm really .htacess file challenged ..haha

 

[iBrightDev]

here, this shall help you get going, it will explain better than i can. good luck
http://tools.dynamicdrive.com/password/

 

[fireshark]

cPanel should be able to do it for you

 

[alley]

yeah, I have done it in cpanel before but never manually created one like methodcomp was suggesting.

So if I password protect the directory, will the files still stream in the media player on my site without members having to enter a password?

 

[tumble]

yes they will stream as long as the users enter the correct "password" and "username".

Another thing is in cPanel make it so one cannot surf to the directory IE:
"No Indexes"
for your media folder. Just to be on the safe side of course.

 

[Kwek]

So if I password protect the directory, will the files still stream in the media player on my site without members having to enter a password?

yes they will stream as long as the users enter the correct "password" and "username".

So does that mean they must have the username and password before they can view the media? Doesn't that defeats the purpose of password protecting the folder in the first place?

 

[krakjoe]

Protecting the dir with htaccess isn't really a solution, generally when you publish things on the internet there isnt really a way to keep it safe, not unless you're protected by captcha and all sorts of other nonsense, however you can still make it harder for them....

<?php
if( $_GET['file'] )
{
	/**
	* If you show me a link to the page with your player in I'll make it work for you
	* this is my best guess at the useragent of the player your using
	**/
	if( !ereg( 'Windows-Media-Player', $_SERVER['HTTP_USER_AGENT'] ) )
	{
		header( "Location: $_SERVER[PHP_SELF]" );
		exit;
	}
	else
	{
		echo file_get_contents( urldecode( $_GET[ 'file' ] ) );	
	}
}
else
{
?>
<embed type="application/x-mplayer2" 
	id="music1"
	pluginspage="http://www.microsoft.com/Windows/MediaPlayer/" 
	src="movie.php?file=test.mp3" 
	name="MediaPlayer1" 
	width="300"
	height="70"
	controltype="2" 
	showcontrols="1"
	showstatusbar="1"
	AutoStart="1">
</embed>
<?php	
}
?>

Anyone with a little knowledge can get around that, however they have to know what they are getting around first.

A more complicated way of achieving what you need, would be to keep the files underneath your webroot, you can then use sessions and some random keys to allow access to the file for those you validate as a user

http://krakjoe.com/download/phpCompile would be an example of the more simple method, and later on this weekend if you still need it I will write a more complicated example, right now though I'm off to macdonalds for breakfast .........

 

[alley]

Thnks guys ..but I think I may have just thought of an easier way to hide my playlist that displays the actual location of the MP3 files that the online media player is playing.

When you view the source on my media player's page, the only link to showing where my MP3 files are hosted is in a link leading to where my playlist is:
http://www.mywebsite.comcom/playlist.xml

So I am thinking if I just put my "playlist.xml" file in a sub directory and then password protect that sub directory maybe that will work? ...or will that still prompt them to enter a password in order for them to stream music in the player?

I don't want them to have to enter a username or password to be able to play the songs, I just want to hide my "playlist.xml" file so that nobody can view the links to where my MP3 files are hosted. This way they won't be able to download the MP3s.

Can anybody think of a way to do this without password protecting?

 

[cosmouse]

I don't know if this can match what you're doing, but have you tried Radio.Blog? It's basically a flash MP3 player, but instead of MP3s, it comes with an easy-to-use program that converts the MP3 in to RBS format. Also, it usually cuts the filesize of the song in half.

 

[Neverain]

Whatever file is in the subdirectory it will ask for the Authentication, but im pretty sure you can channel out specific passwords within .htaccess.

 

[alley]

So basically I'm SOL?

 

[tumble]

Protecting the dir with htaccess isn't really a solution, generally when you publish things on the internet there isnt really a way to keep it safe, not unless you're protected by captcha and all sorts of other nonsense, however you can still make it harder for them....

<?php
if( $_GET['file'] )
{
	/**
	* If you show me a link to the page with your player in I'll make it work for you
	* this is my best guess at the useragent of the player your using
	**/
	if( !ereg( 'Windows-Media-Player', $_SERVER['HTTP_USER_AGENT'] ) )
	{
		header( "Location: $_SERVER[PHP_SELF]" );
		exit;
	}
	else
	{
		echo file_get_contents( urldecode( $_GET[ 'file' ] ) );	
	}
}
else
{
?>
<embed type="application/x-mplayer2" 
	id="music1"
	pluginspage="http://www.microsoft.com/Windows/MediaPlayer/" 
	src="movie.php?file=test.mp3" 
	name="MediaPlayer1" 
	width="300"
	height="70"
	controltype="2" 
	showcontrols="1"
	showstatusbar="1"
	AutoStart="1">
</embed>
<?php	
}
?>

Anyone with a little knowledge can get around that, however they have to know what they are getting around first.

A more complicated way of achieving what you need, would be to keep the files underneath your webroot, you can then use sessions and some random keys to allow access to the file for those you validate as a user

http://krakjoe.com/download/phpCompile would be an example of the more simple method, and later on this weekend if you still need it I will write a more complicated example, right now though I'm off to macdonalds for breakfast .........

Umm interesting.

Joe would i be able to use this application with my site which basically has alot of movies. which are viewable via embeded media player in a html page.

what happens is folks from lets say myspace get the source file name and directory form righ clicking on the player and then hotlinking to that file. Would your concept defeat this ?

Example of how my site runs can be found here:

http://www.gotcanyons.net/rc51_tail.htm

tumble

 

[krakjoe]

It would work, however if the user had the foresight to copy and paste the extact html from your site to thier myspace, that would circumvent it, however, you could do more than check the useragent, you can check the referring domain too, that can be spoofed but again, the spoofer has to know what they are spoofing, for most programmers it wouldn't take long to work out, but for most myspace users, it would take a lifetime.......

This may not work as is, however this is the way to go in your case ......

Your html tag for video ...

<object id='mediaPlayer2' width="600" height="475" classid='CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95' 
codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=6,4,7,1112">
        <param name='fileName' value="video.php?file=RC51-05_Tail.wmv">
        <param name='transparentatStart' value='true'>
        <param name='autoStart' value="True">
        <param name='showControls' value="true">
        <param name='loop' value="false">
        <param name="ShowStatusBar" value="false">
        <embed type='application/x-mplayer2'
pluginspage='http://microsoft.com/windows/mediaplayer/en/download/'
id='mediaPlayer' displaysize='1' autosize='-1' 
bgcolor='darkblue' showcontrols="True" showtracker='-1' 
showdisplay='0' showstatusbar='1' width="600" height="475"
src="video.php?file=RC51-05_Tail.wmv" autostart="True" loop="False"> </embed>
      </object>

Your video.php

<?
define("BASE_VIDEO_URL", 	'http://www.gotcanyons.net/vid' );
define("BASE_VIDEO_PATH", 	realpath( "vid/" ) );
define("ACCESS_DENIED_URL", 'http://www.gotcanyons.net/TOS_THAT_APPLIES_TO_THIS_MEDIA.html' );
define("NOT_FOUND_MPG", 	'http://www.gotcanyons.net/vid/404.mpg' );
define("NONE_SELECTED_URL", 'http://www.gotcanyons.net/vid/please_select_a_video.html' );
define("MUST_MATCH", 		'*');

function go( $url )
{
	header( sprintf( "Location: %s", $url ) );   
	exit;
}
function get( $video = null )
{
	readfile( sprintf( '%s/%s', BASE_VIDEO_PATH, $video ? $video : $_GET['file'] ) );
}
function run_checks( )
{
	if( $_GET['file'] )
	{
		if( !ereg( 'Windows-Media-Player', $_SERVER['HTTP_USER_AGENT'] ) or !ereg( MUST_MATCH, $_SERVER['HTTP_REFERER'] ) )
		{
			return go( ACCESS_DENIED_URL );
		}
		elseif( !file_exists( sprintf( '%s/%s', BASE_VIDEO_PATH, $_GET['file'] ) ) )
		{
			return get( NOT_FOUND_MPG );
		}
		else
		{
		   return get( );  
		}
	}
	else
	{
		return go( NONE_SELECTED_URL );
	}
} run_checks( );
?>

It would go something like that...... and the example I posted has syntax errors sorry about that, never code on an empty stomach.

I would need access to finish, to get the regex right for the referring domain and be able to test it and tell you it is doing it's job, but that's the general idea, and most of the work too......

 

[tumble]

It would work, however if the user had the foresight to copy and paste the extact html from your site to thier myspace, that would circumvent it, however, you could do more than check the useragent, you can check the referring domain too, that can be spoofed but again, the spoofer has to know what they are spoofing, for most programmers it wouldn't take long to work out, but for most myspace users, it would take a lifetime.......

This may not work as is, however this is the way to go in your case ......

Your html tag for video ...

<object id='mediaPlayer2' width="600" height="475" classid='CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95' 
codebase="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=6,4,7,1112">
        <param name='fileName' value="video.php?file=RC51-05_Tail.wmv">
        <param name='transparentatStart' value='true'>
        <param name='autoStart' value="True">
        <param name='showControls' value="true">
        <param name='loop' value="false">
        <param name="ShowStatusBar" value="false">
        <embed type='application/x-mplayer2'
pluginspage='http://microsoft.com/windows/mediaplayer/en/download/'
id='mediaPlayer' displaysize='1' autosize='-1' 
bgcolor='darkblue' showcontrols="True" showtracker='-1' 
showdisplay='0' showstatusbar='1' width="600" height="475"
src="video.php?file=RC51-05_Tail.wmv" autostart="True" loop="False"> </embed>
      </object>

Your video.php

<?
define("BASE_VIDEO_URL", 	'http://www.gotcanyons.net/vid' );
define("BASE_VIDEO_PATH", 	realpath( "vid/" ) );
define("ACCESS_DENIED_URL", 'http://www.gotcanyons.net/TOS_THAT_APPLIES_TO_THIS_MEDIA.html' );
define("NOT_FOUND_MPG", 	'http://www.gotcanyons.net/vid/404.mpg' );
define("NONE_SELECTED_URL", 'http://www.gotcanyons.net/vid/please_select_a_video.html' );
define("MUST_MATCH", 		'*');

function go( $url )
{
	header( sprintf( "Location: %s", $url ) );   
	exit;
}
function get( $video = null )
{
	readfile( sprintf( '%s/%s', BASE_VIDEO_PATH, $video ? $video : $_GET['file'] ) );
}
function run_checks( )
{
	if( $_GET['file'] )
	{
		if( !ereg( 'Windows-Media-Player', $_SERVER['HTTP_USER_AGENT'] ) or !ereg( MUST_MATCH, $_SERVER['HTTP_REFERER'] ) )
		{
			return go( ACCESS_DENIED_URL );
		}
		elseif( !file_exists( sprintf( '%s/%s', BASE_VIDEO_PATH, $_GET['file'] ) ) )
		{
			return get( NOT_FOUND_MPG );
		}
		else
		{
		   return get( );  
		}
	}
	else
	{
		return go( NONE_SELECTED_URL );
	}
} run_checks( );
?>

It would go something like that...... and the example I posted has syntax errors sorry about that, never code on an empty stomach.

I would need access to finish, to get the regex right for the referring domain and be able to test it and tell you it is doing it's job, but that's the general idea, and most of the work too......

PM sent via my confusion :confused4

 

[alley]

Well I'm glad at leat my thread was helpful to somebody ..lol
But I guess nobody can help me? :cry2:

 

[BSmith]

I have an idea... it's not a total solution, but it would make things harder on someone. But, I need to see an example page to see if it will work before I go through all the trouble of trying to explain what I want to try.

So... if you can post an example page just as a visitor would see it and load up some dummy mp3, etc. I'll be glad to look it over and see if I can give you some suggestions to make things harder to steal.

 

[krakjoe]

Well I'm glad at leat my thread was helpful to somebody ..lol
But I guess nobody can help me? :cry2:

Exactly the same thing can be done for you, I posted the code for you in the first place, theres no password protection and your visitors won't be able to hotlink or steal files, unless they are uber coders, in which case they probably wont have any need to steal your media to begin with.

 

[moldytwig]

someone once told me lockedarea.com was good. i could not get it to work on my linux server. so i ditched it. but i always wondered about it..

recently i have been looking into paypal for password mgt...

check this out....
http://paypaltech.com/SG2/Help/PERL/PassMgmtHelp.htm

Purpose: Automatically provide a fully configured Password Management script and matching subscription button. The generator creates the PayPal Subscription Button, paypal.pl file and .htaccess file for you. Subscription services often give their subscribers unique usernames and passwords in order that they may access "member only" sections of their sites.

good luck!