I am trying to make a login that would give you access to some videos, pictures, and other files. I can do this with php and a get request (www.example.com/foo?video1) and making sure they have a cookie of some sort, but I am unsure how to prevent someone from just typing in the link of the source files (www.example.com/videos/video1.mp4). I need away to prevent people from accessing the source files.
System:
macOS Sierra 10.12.6
Apache
Thanks, Josh
Put the source files in some directory that is not public, or use an HTAccess. Then, use file_get_contents() and echo to spit out the video. It might look something like this:
getvideo.php?video=test
<?php
if($_SESSION["username"]!==null)//whatever auth mechanism
{
if(file_exists("videos/". str_replace( [ '\\', '.', '/'], '', $_GET["video"] ). ".mp4"))
{
header("Content-Type: video/mp4");
readfile("videos/". str_replace( [ '\\', '.', '/'], '', $_GET["video"] ). ".mp4");
}
else
{
header("HTTP/1.1 404 Not Found");
}
}
else
{
header("HTTP/1.1 401 Unauthorized");
}
exit;
?>
Here's an idea if you're using Apache.
Make sure the Rewrite module is turned on.
Create a .htaccess file in your videos directory with the following content:
RewriteEngine On
RewriteRule . video.php?video=$1
Now, create a file named video.php with something like this:
<?php
/**
* require your login / db files here
* and check if the user is logged in,
* if it isn't redirect back or whatever you need
*/
$video = $_GET['video'];
$video = str_replace('..', '', $video); // prevent ../../file
if (file_exists($video)) {
header('Content-type: ' . mime_content_type($video));
echo file_get_contents($video);
} else {
// 404...
}
Now you can call yoursite.com/videos/video.mp4 and place your video files in the videos directory.
