How to Password Protect Streaming Videos with PHP

How to password protect files (images, video, zip) dynamically from public and allow access to members only?

You would usually redirect any requests for the media files to a PHP script. The PHP script does the login authentication, and on success, loads the requested media file from a protected location, and passes it through to the browser, for example using fpassthru() or fread().

You can set up a very elegant solution using a set of mod_rewrite instructions, for example rewriting

www.example.com/media/music.mp3

internally to

www.example.com/media/index.php?file=music.mp3

the method is not cheap, as the PHP interpreter has to be started for every download, and pass through every byte of the file. For a discussion of possible alternatives, I asked a question about that a few months back: Performance-oriented way to protect files on PHP level?

How to show streaming videos to only authenticated users?

aadravid,

reading about the htaccess solution, i wonder if a AUTH/ACL based approach would not be better. The easiest way to enter this realm is the acl/auth tutorial.

Implementing it exclusively with the CakePHP features would get rid of the strangely looking Apache authentication popup.

Edit0:
Maybe the Security Component is for you?

Edit1:
Giving it further thought and lecture, you maybe:

Have to create a folder for every user, making the parent folder not showing the indices (via .htaccess). If you want to go fancy, you could map foldernames to users randomly, adding another difficulty for "curious people".
Create the .htaccess file for each of these folders automatically, including the necessary file e.g. usersHTpasswd somewhere out of the webroot. In usersHTPasswd you would add the htpasswd hash according to your method used at the very same time you would initialize a users folder. Just lookup how this is done (guess md5, but you can tune that imho)
Manipulate basic authentication credentials via PHP header functions (or better cake).
For group access, you could do some magic in this step.

Strong points (if the solution works, you are my guinea pig :-)):

Once this is set up the security is equivalent to the htaccess solution to the only weak point of a user giving away her credentials.
The basic idea then would be to only use the SecurityComponents force login feature if the user is not AUTH-enticated yet (maybe SecurityComponent can be omitted completely)
Streaming video is as easy as popping a html5 video tag in your view and referencing the target.
works on shared hosts with (.htaccess files)
will be cool over SSL

Weak points:
- Unfortunatly not a one-call-cakephp-will-do-it solution

Sources explicitly used to create this post:

devshed , has neat idea(s) but suffers from readable folder
apache httpd for htaccess, DirectoryIndex

It took me quite a time to come up with this, so everybody feel free to discuss your ideas (or upvote :-))

Edit2:
wrksx, an active contributor in the cakePHP community, gave me the tip to try MediaView
*sniff*

Edit3:
Another contributor, voidet, pointed out that MediaViews chunking - and by the way your used method of serving static files through PHP - hits the CPU. You can install
x-sendfile as apache module or resort to my solution, if the performance hit is too big.
Maintaining the htaccess files could be challenging.

How to protect streaming videos from download

Can videos be protected from downloading so that no one should be able to record them?

The short answer is: No.

Longer answer: It is impossible to protect anything from downloading unless you don't want anyone to watch it. Remember: if they can see it, they can record it.

How to secure mp4 files using PHP tokens or sessions

First things first...
If you have control on your HTTP server AND if you are using apache, I would suggest to control this via mod_redirect in your .htaccess

Add this to your .htaccess

RedirectMatch 403 ^/uploads/?$

Of course, change /uploads/ to your mp3/mp4 directory.

Second, your approach is good, I would add more entropy with the link though.

At all costs, never in your $link or any request disclose where the files are located. Create a link that will end up looking like https://example.com/mp4loader.php?load=A_LONG_HASH_HERE

Then Validate the hash against your files and use readfile to stream the mp4 to the browser.

How to secure HLS videos, with AES 128

Basically you could encrypt every chunk with AES-128. AES-128 encrypts the whole chunk with AES using a 128 bit key, Cipher Block Chaining (CBC) and PKCS7 padding. The CBC will be restarted with each segment using the Initialization Vector (IV).

You could do this with ffmpeg by creating a key file that contains the following contents:

Key URI
Path to Key File
IV (optional)

You could create the key with openssl:

openssl rand 16 > video1.key

The file would then contain the following contents:

http://my-server.com/video1.key
video1.key

And then use ffmpeg by providing the path to the key file:

ffmpeg -i input.mp4 -hls_time 6 -hls_key_info_file keyFile playlist.m3u8

This will create the segments and a manifest which should contain a #EXT-X-KEY:METHOD=AES-128,URI attribute.

#EXT-X-KEY:METHOD=AES-128,URI="http://my-server.com/video1.key"