Quote:
Originally Posted by Sands
My recent research has led me to the conclusion that hotlink protection for Flash video files is quite difficult as Flash video players do not send referrer information when they access the video. If I'm not mistaken, .htaccess depends on this referring information to determine whether or not the video is being hotlinked.
Your best option, given the above information is accurate, is to seek out and implement some streaming video solution as they normally afford you hotlinking protection.
Outside of this, you will probably want to obfuscate the link to your videos (such as using www.domain.com/stream.php?video_id=X as the URL for the video) and/or implement some solution where the names of your video files are changed at certain invervals.
Hopefully someone more knowledgeable than myself will chime in. |
Flash ALWAYS sends player/verion information along with it, including referer header information [at least, the last time I checked]. It's not possible to remove this from within the flash itself, the headers are fixed.
You don't want to change your filenames, what you want to do is this.
When you embed your videos, feed a hash into the player.
This hash will be either a] time locked, or b] 1 time only [ie, stored in a db]
The player, when it goes to load the video, will send the original hash, and modified [xoring is easiest] version of the hash.
When the request comes to play the file, if the first hash and second hash aren't present or aren't matching as they should be, the file simply doesn't play.
There are other steps to take from here, keeping your hash system well salted, encrypting your SWF file [to prevent your xor algo getting cracked]
This is not the only way. There are quite a few others, such as:
1 - Set a session when the visitor hits your page. No session, no play.
2- Whitelist the person's IP when they hit your page, for ~30 seconds to play a video.
No whitelist, no play.
There are heaps of ways of doing this
